The SSL certificate is invalid

[radare]

For some reason I get this:

$ cargo build --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
Unable to update registry https://github.com/rust-lang/crates.io-index

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  [16] The SSL certificate is invalid

But i can't find a way to get more information (why this cert is invalid), and having at least one commandline option or environment variable to ignore them would be helpful

[radare]

$ rustc -vV
rustc 1.2.0-dev
binary: rustc
commit-hash: unknown
commit-date: unknown
host: x86_64-unknown-linux-gnu
release: 1.2.0-dev
$ cargo -vV
cargo 0.4.0 (built 2015-08-17)

[kulbida]

Is there any progress on this?

[alexcrichton]

This looks like Cargo may have been built from scratch rather than being a nightly, @radare how'd you install Cargo/Rust to get this error?

Unfortunately I think we're giving as much information as we've got right now, I'm not sure if there's more contextual information cargo has to propagate upwards.

[radare]

I can reproduce it with the package of voidlinux. The nightly build from the cargo web page works as expected

On 01 Oct 2015, at 02:22, Alex Crichton [email protected] wrote:

This looks like Cargo may have been built from scratch rather than being a nightly, @radare how'd you install Cargo/Rust to get this error?

Unfortunately I think we're giving as much information as we've got right now, I'm not sure if there's more contextual information cargo has to propagate upwards.

—
Reply to this email directly or view it on GitHub.

[alexcrichton]

Oh interesting! What's voidlinux? Is there something I can do to reproduce this locally?

[radare]

http://voidlinux.eu http://voidlinux.eu/

I guess you can reproduce this issue by downloading the r2live iso http://bin.rada.re/r2live-20150901.iso http://bin.rada.re/r2live-20150901.iso which is based on voidlinux, and then install cargo like this:

xbps-install cargo

git clone any rust project and run cargo update. iirc downloading the nightly official build seems to work fine.

you can check the pkg template here:

https://github.com/voidlinux/void-packages/blob/master/srcpkgs/cargo/template https://github.com/voidlinux/void-packages/blob/master/srcpkgs/cargo/template

thanks!

On 02 Oct 2015, at 19:07, Alex Crichton [email protected] wrote:

Oh interesting! What's voidlinux? Is there something I can do to reproduce this locally?

—
Reply to this email directly or view it on GitHub #1978 (comment).

[alexcrichton]

Hm so I didn't quite go the route of installing from scratch, but I ran the docker image for voidlinux after which I did:

$ xbps-install -Sy cargo git gcc
$ git clone https://github.com/alexcrichton/tar-rs
$ cd tar-rs
$ cargo test

And everything worked out ok? Perhaps something is misconfigured locally? Do the certificates installed need to be updated perhaps?

[MagaTailor]

I'm also seeing this issue on 64-bit Porteus.

There was no problem with the 32-bit version of Porteus using my own builds of cargo but the 64-bit version and the official x86_64 nightly are producing the error.

The system date is correct and no other app complains about certificates.

EDIT:
Voidlinux home page says they're using LibreSSL, Porteus has OpenSSL.

[alexcrichton]

@petevine like with the case above, is there a way that I would be able to reproduce this? Cargo has to do a little work to discover the system certificates and it could be that they're not being discovered

[MagaTailor]

Almost certainly the problem here as the filesystem layout is a little different between the two versions.

You probably shouldn't waste too much time on trying to run the live distro yourself (http://build.porteus.org/) but maybe you could provide a few hints where cargo's expecting to find the certs so that symlinking would be enough.

I'm going to find out if the certs' locations are different and report back.

[alexcrichton]

You can find the current search locations in the openssl-sys crate, but I can also try to run something in docker if there's an image available somewhere perhaps?

[MagaTailor]

Thx, I'll have a look.

The porteus link above will lead you to an image creation wizard so as long as you pick 64bit (uefi) it probably won't matter what other options you choose.

[alexcrichton]

Oh holy cow sorry! I think I accidentally deleted @petevine's last comment, so here it is:

I was right asking you to hold back :)

After investigating both setups it looks like I'd stumbled on a distro bug - the certificates package is missing from the 64bit version (could be related to different browser and DE choices somehow).

Thanks for taking a look @petevine! @radare any updated on the voidlinux side of things?

[radare]

@alexcrichton no news, still the same problems

[MagaTailor]

@radare, you had better eliminate the obvious as well and if you do have the certificates, try locating cert.pem (or ca-certificates.crt or ca-root-nss.crt) and then look at the output from strace -o out.txt cargo build which should show which paths are being checked.

[radare]

Yeah i have managed to fix this thing.

1. a clean voidlinux installation works as expected

2. my system was still failing, so i straced, and noticed that it was unable to find any cert.pem, the most similar filename was /etc/ssl/certs.pem, just renamed certs.pem to cert.pem and it worked.

i guess that was a distro issue, but its strange that the nightly build of cargo was working as expected and not this one.

thanks for the tips

On 12 Oct 2015, at 20:00, petevine [email protected] wrote:

@radare https://github.com/radare, you had better eliminate the obvious as well and if you do have the certificates, try locating cert.pem and then look at the output from strace cargo build which should show which paths are being checked.

—
Reply to this email directly or view it on GitHub #1978 (comment).

[MagaTailor]

Just to be on the safe side, a symlink to certs.pem is probably a good idea or other stuff might break :)

[alexcrichton]

@radare if you add another case here for certs.pem, does it work "out of the box" for you?

[radare]

Thanks for pointing out.

I just did a pullreq: sfackler/rust-openssl#287

Btw, voidlinux uses libressl. which can be the reason behind this different path.

On 12 Oct 2015, at 22:47, Alex Crichton [email protected] wrote:

@radare https://github.com/radare if you add another case here https://github.com/sfackler/rust-openssl/blob/master/openssl-sys/src/probe.rs#L60 for certs.pem, does it work "out of the box" for you/

—
Reply to this email directly or view it on GitHub #1978 (comment).

[rasendubi]

@alexcrichton, @radare, the pull request is merged. I think we should close the issue.

[alexcrichton]

@rasendubi ok thanks for the reminder!

[nazar-pc]

Still experiencing this issue when installing cargo in Ubuntu 17.04 Docker container as following:

root@540d11ba4446:/rust# RUST_ARCHIVE=rust-nightly-x86_64-unknown-linux-gnu.tar.gz
root@540d11ba4446:/rust# RUST_DOWNLOAD_URL=https://static.rust-lang.org/dist/$RUST_ARCHIVE
root@540d11ba4446:/rust# curl -fsOSL $RUST_DOWNLOAD_URL \
    && curl -s $RUST_DOWNLOAD_URL.sha256 | sha256sum -c - \
    && tar -C /rust -xzf $RUST_ARCHIVE --strip-components=1 \
    && rm $RUST_ARCHIVE \
    && ./install.sh

The same script works fine in Debian Jessie image

[steveklabnik]

@nazar-pc see #3340

[lu-zero]

Just reproduced the problem on a current Gentoo system and today's nightly.

[sanmai-NL]

Never mind the below, that is issue #3340.

---

I also did, on current Arch Linux and today's nightly.

    Updating registry `https://github.com/rust-lang/crates.io-index`
error: failed to load source for a dependency on `chrono`                                                                                                                                                            

Caused by:                                                                                                                                                                                                           
  Unable to update registry https://github.com/rust-lang/crates.io-index                                                                                                                                             

Caused by:                                                                                                                                                                                                           
  failed to fetch `https://github.com/rust-lang/crates.io-index`                                                                                                                                                     

Caused by:                                                                                                                                                                                                           
  [16/-17] The SSL certificate is invalid     

openssl version

OpenSSL 1.0.2j  26 Sep 2016

sudo pacman -Qi openssl

Please touch the device.
Name            : openssl
Version         : 1.0.2.j-1
Description     : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
Architecture    : x86_64
URL             : https://www.openssl.org
Licenses        : custom:BSD
Groups          : None
Provides        : None
Depends On      : perl
Optional Deps   : ca-certificates [installed]
Required By     : coreutils  curl  git  iputils  ldns  libarchive  libevent  libgit2  libsasl  libshout  libssh  libssh2  libu2f-server  lynx  mupdf  net-snmp  nmap  nodejs  openslp  openssh  python  python2
                  python2-pyopenssl  rkt  rtmpdump  ruby  unbound  wget  wpa_supplicant  xmlsec
Optional For    : apr-util
Conflicts With  : None
Replaces        : None
Installed Size  : 6,99 MiB
Packager        : Pierre Schmitz <[email protected]>
Build Date      : di 27 sep 2016 15:52:48 CEST
Install Date    : wo 28 sep 2016 09:01:28 CEST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

uname -a

Linux Onkyo 4.8.11-1-ARCH #1 SMP PREEMPT Sun Nov 27 09:26:14 CET 2016 x86_64 GNU/Linux

/etc/os-release:

NAME="Arch Linux"
ID=arch
PRETTY_NAME="Arch Linux"
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"

[lukehinds]

Getting the same in a Fedora 25 docker container:

# cargo run --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
error: failed to load source for a dependency on `log`

Caused by:
  Unable to update registry https://github.com/rust-lang/crates.io-index

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  [16/-17] The SSL certificate is invalid
[root@d6e7c553326f hello_world]# openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016

Fixed with:

export ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt

[alexcrichton]

@lukehinds it looks like that case isn't handled by the openssl-probe crate which Cargo relies on to find certificates on various systems. Want to send a PR to update that, though?

[lukehinds]

@alexcrichton , sure, will take a look.