I’m attempting to login via the exp command line tool, and it gives me this error:
$ exp login --github
[exp] self signed certificate in certificate chain
[exp] Error: self signed certificate in certificate chain
at TLSSocket. (_tls_wrap.js:1084:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:188:7)
at TLSSocket._finishInit (_tls_wrap.js:606:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:436:38)
This is at my work and we have a corporate proxy in place that does have a self-certified SSL cert in its chain.
Other tools give you a way of getting around this error, although at the expense of loosening up your security settings. E.g. with Git, I can add sslVerify = false option to the .gitconfig file. Is there any similar option for the exp tool?
As far as I know this type of proxy basically works as a MITM pretending to be the remote server. This is so it can decrypt the traffic to all remote servers from the users’ browsers etc. for monitoring purposes.
As far as I know they have their own CA cert (which is necessarily self-signed) in order to generate new certs on the fly for all the servers the users are connecting to.
In order for browsers etc. not to complain, two things are needed.
The proxy needs to generate a cert for each remote server being connected to on the fly (but likely cached for later connections)
The browser/OS needs to install the proxy’s CA cert into its trusted root certificate store.
For browsers that implement certificate pinning, I suppose you might also have to disable that, but the main two requirements would be the ones above.
Given the error message you’re getting, it seems that either the proxy server is sending its CA cert as part of the cert chain or else Node knows about it, but it is not trusted.
So I believe the solution to your problem (if you can’t work somewhere that doesn’t monitor all of your encrypted network traffic ) is to get the CA cert and make sure Node treats it as a trusted root cert.
A quick search on how to do the latter turns up this: