Deploy Error Decoder

ERR_OSSL_EVP_UNSUPPORTED — fix the OpenSSL 3 build break

Q: What does ERR_OSSL_EVP_UNSUPPORTED mean?

Your build ran on Node 17+, which bundles OpenSSL 3.0. OpenSSL 3 disabled the legacy MD4-based hashing that older build tools (most often Webpack 4) use to fingerprint modules, so the algorithm request is refused with error:0308010C:digital envelope routines::unsupported.

Q: Is --openssl-legacy-provider safe to use?

It is a stopgap: it re-enables the deprecated legacy crypto provider for the build process so the old hash works again. It is fine to unblock a deploy, but the legacy provider is deprecated and may be removed, so treat it as temporary and upgrade the build tool for a durable fix.

Q: Why does it build locally but fail in CI?

Almost always a Node version mismatch: your machine runs Node 16 or earlier while CI runs Node 17+. Pin the same Node version everywhere (e.g. an .nvmrc and the matching setup-node in CI) so the build is reproducible.

Q: Do I need to downgrade Node.js?

Prefer not to. The durable fix is upgrading the build tool to one that uses a modern hash compatible with OpenSSL 3 - Webpack 5, or react-scripts 5+, Vue CLI 5, a recent Angular. Pinning Node to an LTS below 17 works as a last resort but leaves you on an old runtime.

Quick answer: error:0308010C:digital envelope routines::unsupported appears because you are on Node 17+, which ships OpenSSL 3.0 and disabled the legacy hash your build tool (usually Webpack 4) relies on. The durable fix is to upgrade the build tool (Webpack 5 / react-scripts 5+); the one-line stopgap is NODE_OPTIONS=--openssl-legacy-provider.

Not your exact error? Paste it into the Deploy Error Decoder →

What the error looks like

It fires during the build or bundling step, not at runtime:

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:69:19)
    at Object.createHash (node:crypto:133:10)
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'

The giveaway is digital envelope routines plus createHash in the stack: a tool asked OpenSSL for a hash algorithm that OpenSSL 3 no longer allows by default.

Why it happens

Node 17+ ships OpenSSL 3.0

OpenSSL 3 moved legacy algorithms (like MD4) into an off-by-default provider.

Webpack 4 hashes with MD4

react-scripts <5, Vue CLI 4, and older Angular all bundle Webpack 4, which fingerprints modules with the now-blocked hash.

CI runs a newer Node than you

It builds locally on Node 16 but breaks in CI on Node 18+ — a version mismatch, not your code.

A transitive dep on the old hash

Even on a newer toolchain, an old loader or plugin deep in the tree can still request the legacy algorithm.

Diagnose it in three steps

Check your Node version

node -v
# v17.x or higher is the trigger (OpenSSL 3).
# Confirm CI uses the same version you do.

Find the build tool and its version

npm ls webpack react-scripts vue 2>/dev/null
# [email protected] or react-scripts <5 = the usual culprit.

Reproduce, then unblock to confirm

# If this builds, OpenSSL 3 + legacy hash is confirmed:
NODE_OPTIONS=--openssl-legacy-provider npm run build

The real fix

Upgrade the build tool; keep the flag only as a stopgap

The durable fix is to move to a build tool that uses an OpenSSL-3-compatible hash. Upgrade to Webpack 5, or to react-scripts 5+, Vue CLI 5, or a current Angular — all of which hash with a modern algorithm and just work on Node 17+.

# the real fix: upgrade the tool that bundles your app
npm install react-scripts@latest    # 5+ uses Webpack 5
# or, on a custom Webpack config, move to webpack@5

# stopgap to unblock a deploy now (temporary):
export NODE_OPTIONS=--openssl-legacy-provider
npm run build

# pin Node everywhere so local and CI match:
echo "18" > .nvmrc      # and use actions/setup-node with node-version-file

Avoid hard-coding the flag into your app scripts long-term — the legacy provider is deprecated. Pin a single Node version across local and CI so the build stops drifting between environments.

How Infraveil handles this

Reproducible builds, pinned toolchain

“Works on my machine, breaks in CI” is a version-drift problem. On your own servers, Infraveil runs your deploy pipeline with a pinned, consistent Node and toolchain, so an OpenSSL-3 surprise doesn’t appear only in CI. A failed build is caught before it ships, surfaced in one view, and the fix is approval-gated and recorded.

A pinned Node/toolchain version across every build, on infra you control

Build failures caught and surfaced before they reach production

Every change approval-gated and recorded, so a stopgap never quietly ships

See how it works More deploy fixes

Frequently asked questions

What does ERR_OSSL_EVP_UNSUPPORTED mean?

Your build ran on Node 17+, which bundles OpenSSL 3.0. OpenSSL 3 disabled the legacy MD4-based hashing that older build tools (most often Webpack 4) use to fingerprint modules, so the request is refused with error:0308010C:digital envelope routines::unsupported.

Is --openssl-legacy-provider safe to use?

It is a stopgap that re-enables the deprecated legacy crypto provider for the build. Fine to unblock a deploy, but the provider is deprecated and may be removed — treat it as temporary and upgrade the build tool for a durable fix.

Why does it build locally but fail in CI?

Almost always a Node version mismatch — your machine runs Node 16 or earlier while CI runs Node 17+. Pin the same version everywhere with an .nvmrc and a matching setup-node step.

Do I need to downgrade Node.js?

Prefer not to. The durable fix is upgrading the build tool to one that uses a modern hash (Webpack 5, react-scripts 5+, Vue CLI 5, a recent Angular). Pinning Node below 17 is a last resort.

Related guides

ERR_REQUIRE_ESM

Module not found: cannot resolve

npm ERR! ELIFECYCLE

Free tools for this

Client-side, no signup — they run in your browser.

Deploy error decoder

Decode the failure

Deploy workflow generator

Pinned Node, push-to-deploy

Production-ready checker

Pre-launch audit