The Digital envelope routines unsupported error means the Node.js runtime is trying to perform an operation that requires specific cryptographic algorithms (like RSA-OAEP or RSA-PSS) but the underlying OpenSSL library it’s linked against doesn’t have those algorithms compiled in. This is almost always a symptom of an outdated or improperly configured OpenSSL installation on your system, which Node.js then picks up.
Here’s a breakdown of the common causes and how to fix them:
1. Outdated Node.js Version
Node.js versions prior to 11.13.0 did not have built-in support for certain modern cipher suites that rely on these newer OpenSSL features. While Node.js itself might be recent, it can still be linked against an older system OpenSSL.
-
Diagnosis: Check your Node.js version:
node -vIf it’s older than
v11.13.0, this is a prime suspect. -
Fix: Update Node.js to the latest LTS (Long Term Support) version. Using a version manager like
nvm(Node Version Manager) is highly recommended.nvm install --lts nvm use --ltsThis ensures you’re using a Node.js version that’s aware of and likely compiled against more recent OpenSSL libraries, or at least has better compatibility layers.
-
Why it works: Newer Node.js versions often bundle or expect more modern OpenSSL features to be available, resolving the "unsupported" flag at the Node.js API level.
2. System OpenSSL Version Too Old
Even with a recent Node.js version, if your system’s default OpenSSL library is ancient, Node.js might be forced to use it and find it lacking. This is particularly common on older Linux distributions or macOS systems where Node.js might dynamically link against the system’s OpenSSL.
-
Diagnosis: Check your system’s OpenSSL version:
openssl versionLook for versions older than 1.1.1. Older versions (like 1.0.x) lack many of the modern algorithms.
-
Fix (Linux/macOS):
- Linux (Debian/Ubuntu): Update your system’s packages.
Then, reinstall Node.js usingsudo apt update && sudo apt upgrade openssl libssl-devnvmto ensure it links against the updated system libraries. - Linux (RHEL/CentOS/Fedora):
Again, reinstall Node.js viasudo yum update openssl openssl-devel # or sudo dnf update openssl openssl-develnvm. - macOS (using Homebrew):
After upgrading OpenSSL, you might need to tellbrew update brew upgrade opensslnvmwhere to find it or reinstall Node.js:
Ifexport LDFLAGS="-L/usr/local/opt/openssl@1.1/lib" # Adjust path if needed export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include" # Adjust path if needed nvm install <your_node_version> # Reinstall specific node versionbrewinstalls a newer OpenSSL (e.g., 3.x), the paths will differ, and you’ll need to adjustLDFLAGSandCPPFLAGSaccordingly.
- Linux (Debian/Ubuntu): Update your system’s packages.
-
Why it works: This directly updates the cryptographic library that Node.js relies on, providing the necessary algorithms. Reinstalling Node.js via
nvmforces it to re-detect and link against the newly available, more capable OpenSSL.
3. Custom OpenSSL Build Issues
If you’ve manually compiled OpenSSL on your system, it’s possible you didn’t enable the required algorithms during the configure step.
-
Diagnosis: Review the output of your OpenSSL
./configor./configurescript. Look for options likeenable-rsa-oaeporenable-rsa-pss. If they are missing or explicitly disabled, this is the problem. -
Fix: Recompile OpenSSL with the necessary options.
# Example configure options (check OpenSSL documentation for exact flags) ./config enable-rsa-oaep enable-rsa-pss ... # other options make sudo make installThen, reinstall Node.js using
nvm, ensuring it picks up your custom-built OpenSSL. You might need to set environment variables likeOPENSSL_ROOT_DIRorLD_LIBRARY_PATHbefore runningnvm install. -
Why it works: Ensures the OpenSSL library itself contains the required cryptographic primitives before Node.js attempts to use them.
4. Docker Image Configuration
If you’re encountering this in a Docker container, the base image might be using a minimal OpenSSL installation that lacks these algorithms.
-
Diagnosis:
# Inside your Dockerfile, before Node.js is installed or used RUN openssl versionThis will show you the OpenSSL version within the container.
-
Fix: Use a more complete base image or explicitly install a newer OpenSSL.
- Debian/Ubuntu based:
FROM ubuntu:22.04 # or a more recent Debian/Ubuntu RUN apt-get update && apt-get install -y openssl libssl-dev ca-certificates # ... install Node.js (preferably via nvm) ... - Alpine based: Alpine’s
opensslpackage is often minimal. You might need to installopenssl-devand ensure Node.js is built against it, or switch to a Debian-based image.
- Debian/Ubuntu based:
-
Why it works: Guarantees that the container environment has a sufficiently capable OpenSSL library available for Node.js to utilize.
5. Node.js Build from Source
If you compiled Node.js from source code, the configure script might have failed to detect your system’s OpenSSL correctly, or you might have explicitly told it to use a specific (older) OpenSSL.
-
Diagnosis: Examine the
config.logfile in the Node.js build directory. Search foropenssland look for errors or indications of which OpenSSL version was detected and linked. -
Fix: Clean your Node.js build directory and re-run
configure,make, andmake install. Ensure your system’s OpenSSL is up-to-date and discoverable before starting the Node.js build. You can often point Node.js’s build system to a specific OpenSSL installation using environment variables:export OPENSSL_ROOT_DIR=/path/to/your/openssl ./configure --openssl-use-system-ssl # or similar flags make make install -
Why it works: Correctly links the Node.js binary against a complete and compatible OpenSSL library during the compilation process.
After applying these fixes, you should no longer see the Digital envelope routines unsupported error. The next error you’re likely to encounter, if your cryptographic operations are still failing, will be related to incorrect key formats or padding schemes, e.g., Error:04067072:rsa routines:rsa_ossl_public_encrypt:padding error.