Search code examples
node.jsgatsby

Node.js 17.0.1 Gatsby error - "digital envelope routines::unsupported ... ERR_OSSL_EVP_UNSUPPORTED"

I am building a Gatsby site. I upgraded Node.js to v17.0.1, and when I run a build, there is an error:

Error: digital envelope routines::unsupported

opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'

If I downgrade it to v16, it works fine, and the build will be successful. How can I fix this?

From googling, this may be a similar issue: Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt #48

Solution

  • This is most likely an issue with webpack.

    • If you are on version 4, this was fixed in version 4.47.0 (release).
    • If you are on version 5, this was fixed in version 5.61.0 (release).

    Upgrading webpack to a version beyond what is listed above should address the problem.

    See this issue for further discussion when the bug was originally noticed:

    Ultimately this was related to webpack using md4 hashes and their fix was to switch to using a WASM implementation of the md4 algorithm rather than node's builtin (of which node's relies on OpenSSL, hence the error).

    Note that while a member of the webpack team had stated they did not plan to backport the fix to webpack 4, version v4.47.0 nonetheless included a custom md4 implementation to bring support for Node 18 and above.

    Original Response:

    Gatsby / the tooling used in Gatsby must be using a cryptographic algorithm or key size which is no longer allowed by default with OpenSSL 3.0.

    From Node.js 17's announcement post:

    If you hit an ERR_OSSL_EVP_UNSUPPORTED error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A new command-line option, --openssl-legacy-provider, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions.

    Running this on the terminal might look like:

    node --openssl-legacy-provider ./node_modules/.bin/gatsby build

    You can also pass this in via the NODE_OPTIONS environment variable.

    So if you'd like to continue using the NPM script, you can change the build script to:

    // package.json
{
  "scripts": {
    "build": "NODE_OPTIONS=--openssl-legacy-provider gatsby build"
  }
}