Install of Appium 1.5.2 using npm fails with "RequestError: Error: self signed certificate in certificate chain" installing behind a proxy

[frobibar]

Installing Appium via npm with the npm config and environment variables set as per below results in (log attached appium-npm-command.txt)

npm install -g [email protected]

node install-npm.js", "", "", "> [email protected] install /usr/local/lib/node_modules/appium/node_modules/appium-selendroid-driver", "> node ./bin/install.js", "", "", "/usr/local/lib/node_modules/appium/node_modules/appium-selendroid-driver/node_modules/appium-selendroid-installer/node_modules/request-promise/lib/errors.js:11", "        Error.captureStackTrace(this);", "              ^", "RequestError: Error: self signed certificate in certificate chain", "    at new RequestError (/usr/local/lib/node_modules/appium/node_modules/appium-selendroid-driver/node_modules/appium-selendroid-installer/node_modules/request-promise/lib/errors.js:11:15)", "    at Request.RP$callback [as _callback]

I then tried installing appium-selendroid-driver on its own 'npm install appium-selendroid-driver'. This results in (logs attached appium-selendroid-driver-npm-command.txt and appium-selendroid-driver-npm-debug.txt):

> Users/*****/node_modules/appium-selendroid-installer/node_modules/request-promise/lib/errors.js:11
>         Error.captureStackTrace(this);
>               ^
> RequestError: Error: self signed certificate in certificate chain
>     at new RequestError (/Users/*****/node_modules/appium-selendroid-installer/node_modules/request-promise/lib/errors.js:11:15)
>     at Request.RP$callback [as _callback] (/Users/****/node_modules/appium-selendroid-installer/node_modules/request-promise/lib/rp.js:56:32)
>     at self.callback (/Users/****/node_modules/request/request.js:200:22)
>     at emitOne (events.js:96:13)
>     at Request.emit (events.js:188:7)
>     at Request.onRequestError (/Users/******/node_modules/request/request.js:831:8)
>     at emitOne (events.js:96:13)
>     at ClientRequest.emit (events.js:188:7)
>     at TLSSocket.socketErrorListener (_http_client.js:306:9)
>     at emitOne (events.js:96:13)
>     at TLSSocket.emit (events.js:188:7)
>     at emitErrorNT (net.js:1272:8)
>     at _combinedTickCallback (internal/process/next_tick.js:74:11)
>     at process._tickCallback (internal/process/next_tick.js:98:9)

---

npm config set strict-ssl false
npm config set proxy {{ npm_http_proxy }}
Env: http_proxy
Env: https_proxy

---

npm --version
3.8.9

[imurchie]

This seems like a problem with your npm configuration. Does this help?

[frobibar]

Thanks @imurchie for your suggestion. I've tried some of the suggestions in your link but no progress yet. I will continue working through it.

[nicebug]

same problem to me

[jg210]

This could be solved in a number of ways (roughly in best to worst order) :

• appium could download the file using http not https, then verify the fingerprint (just as secure, no problems with SSL certificates, can accelerate with plain HTTP proxy/cache).
• node could fix Node uses an hardcoded list of certificate authorities nodejs/node#4175 so that it's possible to give it non-standard SSL root certificates and/or make it use the local OS's list of certificates, not its own built-in list.
• npm could use something like e.g. node-ssl-cas (or the techniques it uses) to make node use the certificates npm is given using its ca and cafile options.
• appium could get hold of the ca and cafile settings passed to npm and use them when it makes its https connection.
• Do SSL interception with a certificate that node trusts.
• Don't use SSL interception (this is the only solution that wouldn't work for me - this file is often taking over an hour to download).

[jg210]

I don't see a github.com URL for downloading the jar using http. There is a maven.org URL though:

http://repo1.maven.org/maven2/io/selendroid/selendroid-standalone/0.17.0/selendroid-standalone-0.17.0-with-dependencies.jar

...and it's mentioned on the selendroid front page, so it presumably gets updated as soon as there's a release:

http://selendroid.io/

Would also want to promote fingerprint check failure from warning to an exception. Ideally, would use something better than MD5 fingerprint too.

Using HTTP would solve this issue. It would also make caching of the content much simpler. The current URL isn't easily cachable - it redirects to a different URL each time. E.g.:

mac-mini-1:~ setup$ /usr/local/opt/curl/bin/curl -v --location  https://github.com/selendroid/selendroid/releases/download/0.17.0/selendroid-standalone-0.17.0-with-dependencies.jar > /dev/null
*   Trying 192.30.253.113...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to github.com (192.30.253.113) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: github.com
* Server certificate: DigiCert SHA2 Extended Validation Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET /selendroid/selendroid/releases/download/0.17.0/selendroid-standalone-0.17.0-with-dependencies.jar HTTP/1.1
> Host: github.com
> User-Agent: curl/7.50.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: GitHub.com
< Date: Mon, 05 Sep 2016 16:55:23 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Status: 302 Found
< Cache-Control: no-cache
< Vary: X-PJAX
< Location: https://github-cloud.s3.amazonaws.com/releases/7465720/cbe0c0fe-77d5-11e5-9a06-089a54fc1f80.jar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160905T165523Z&X-Amz-Expires=300&X-Amz-Signature=bdea05cc6cebbdc90ff783987ca83ccbc44398fbe235f243e29e4cd27dba256d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dselendroid-standalone-0.17.0-with-dependencies.jar&response-content-type=application%2Foctet-stream
< X-UA-Compatible: IE=Edge,chrome=1
< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Fri, 05 Sep 2036 16:55:23 -0000; secure; HttpOnly
< Set-Cookie: _gh_sess=eyJzZXNzaW9uX2lkIjoiYmQ5ZTRiOGU3NmQ1OGE4ZDNjNGY4NDkxYzU0ZDU4YjEiLCJzcHlfcmVwbyI6InNlbGVuZHJvaWQvc2VsZW5kcm9pZCIsInNweV9yZXBvX2F0IjoxNDczMDk0NTIzfQ%3D%3D--d6a4967dd0d6b9ef79f3f242cafd8cb3debe32fa; path=/; secure; HttpOnly
< X-Request-Id: ca953fea2c47ca2991948e9402b42be7
< X-Runtime: 0.023536
< Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Vary: Accept-Encoding
< X-Served-By: b437fa0c9608399c74bf50b5c3f52799
< X-GitHub-Request-Id: 5AC4B33D:8A88:2D40332:57CDA37A
< 
* Ignoring the response-body
{ [638 bytes data]
100   626    0   626    0     0    913      0 --:--:-- --:--:-- --:--:--   979
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://github-cloud.s3.amazonaws.com/releases/7465720/cbe0c0fe-77d5-11e5-9a06-089a54fc1f80.jar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160905T165523Z&X-Amz-Expires=300&X-Amz-Signature=bdea05cc6cebbdc90ff783987ca83ccbc44398fbe235f243e29e4cd27dba256d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dselendroid-standalone-0.17.0-with-dependencies.jar&response-content-type=application%2Foctet-stream'
*   Trying 54.231.120.195...
* Connected to github-cloud.s3.amazonaws.com (54.231.120.195) port 443 (#1)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.s3.amazonaws.com
* Server certificate: DigiCert Baltimore CA-2 G2
* Server certificate: Baltimore CyberTrust Root
> GET /releases/7465720/cbe0c0fe-77d5-11e5-9a06-089a54fc1f80.jar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160905%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160905T165523Z&X-Amz-Expires=300&X-Amz-Signature=bdea05cc6cebbdc90ff783987ca83ccbc44398fbe235f243e29e4cd27dba256d&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dselendroid-standalone-0.17.0-with-dependencies.jar&response-content-type=application%2Foctet-stream HTTP/1.1
> Host: github-cloud.s3.amazonaws.com
> User-Agent: curl/7.50.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< x-amz-id-2: aXEIIKRcxTkhvp3yxc/FWrTWDFx5ircfPf7lw0lR8ye76tPbMVGXXw3ONd7JtBFWbK9gDYUaKBU=
< x-amz-request-id: 3C35F27B783A0FAF
< Date: Mon, 05 Sep 2016 16:55:25 GMT
< Last-Modified: Wed, 21 Oct 2015 16:26:25 GMT
< ETag: "5e1f7de5e4d2eb77b68675d76c5edf6a"
< Content-Disposition: attachment; filename=selendroid-standalone-0.17.0-with-dependencies.jar
< Accept-Ranges: bytes
< Content-Type: application/octet-stream
< Content-Length: 13361227
< Server: AmazonS3
< 
{ [16384 bytes data]
100 12.7M  100 12.7M    0     0   825k      0  0:00:15  0:00:15 --:--:--  900k
* Connection #1 to host github-cloud.s3.amazonaws.com left intact

[jgreen210]

The above pull request is in appium-selendroid-driver 1.4.3 and I can install it on its own with npm install appium-selendroid-driver. That's not useful though, I need to install it as a dependency of appium. If I run npm install appium it's still installing 1.3.4, even though the current version of appium (1.5.3) has a dependency on appium-selendroid-driver ^1.3.4. This is for installation without pre-existing node_modules/ and without an npm-shrinkwrap.json.

Does anyone know what's going on?

[imurchie]

Dependencies are locked for released versions. You can skip that by adding the --no-shrinkwrap option when installing (i.e., npm i -g appium --no-shrinkwrap.