rustup (and cargo) unable to get local issuer certificate

[tsmt09]

Problem

Hey. I'm facing a similar problem as #2878:
When trying to install rust using the recommended shell command from here curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh I face the same error saying "unable to get local issuer certificate".

I tried to install rustup via my distributions package then, and this worked pretty well. Now, trying to use cargo brings me to the exact same error "unable to get local issuer certificate".

I'm happy to help as good as I can. Rust for me is just a hobby beside my job so I'll be happy trying to get it fixed since I don't have any dependencies that it has to work again soon. Shoot me with any debugging info I'm happy to provide anything.

The issue also appearing in cargo when installing via distro package manager (zypper), I guess it's not really a rustup or cargo problem, but more of a os-certificate-store vs rust-server-certificate problem. I'm pretty sure this has something to do with the openSuSE Tumbleweed and will ask in their discord as soon as I can, but I just wanted to report that the error happened again because @kinnison asked do to so in the other issue. If I find an answer in discord I will provide it here of course.

Steps

1. Install openSUSE Tumbleweed
2. Run curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Possible Solution(s)

No response

Notes

No response

Rustup version

rustup 1.24.3 (ce5817a94 2021-05-31)

Installed toolchains

Default host: x86_64-unknown-linux-gnu
rustup home:  /home/ts/.rustup

installed toolchains
--------------------

stable-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu (default)

active toolchain
----------------

nightly-x86_64-unknown-linux-gnu (default)
rustc 1.59.0-nightly (e6b883c74 2021-12-08)

[tsmt09]

Downloaded the install script and run with -v:

info: profile set to 'default'
info: default host triple is x86_64-unknown-linux-gnu
warning: Updating existing toolchain, profile choice will be ignored
verbose: updating existing install for 'nightly-x86_64-unknown-linux-gnu'
verbose: toolchain directory: '/home/ts/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu'
info: syncing channel updates for 'nightly-x86_64-unknown-linux-gnu'
verbose: creating temp file: /home/ts/.rustup/tmp/7x7qjlxh83ms34_5_file
verbose: downloading file from: 'https://static.rust-lang.org/dist/channel-rust-nightly.toml.sha256'
verbose: downloading with reqwest
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-nightly.toml.sha256' to '/home/ts/.rustup/tmp/7x7qjlxh83ms34_5_file'

Caused by:
    0: failed to make network request
    1: error sending request for url (https://static.rust-lang.org/dist/channel-rust-nightly.toml.sha256): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
    2: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
    3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
    4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:

[tsmt09]

running cargo with strace I found out that cargo tries to search certs in /usr/local/ssl/certs

stat("/usr/local/ssl/certs/244b5494.0", 0x7ffcd8565748) = -1 ENOENT

a listing of that directory returns it's empty:

~ » ls -lha /usr/local/ssl/certs 
insgesamt 0
drwxr-xr-x 1 root root  0 25. Aug 23:37 .
drwxr-xr-x 1 root root 60 25. Aug 23:37 ..

In general, if I search for a file called ca-certificates.crt on my system, I don't find anything except of /var/lib/flatpak and /var/lib/docker

[tsmt09]

openssl s_client -connect static.rust-lang.org:443 -servername static.rust-lang.org -showcerts < /dev/null

openssl s_client -connect static.rust-lang.org:443 -servername static.rust-lang.org -showcerts < /dev/null
CONNECTED(00000003)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=doc.rust-lang.org
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
[... CHAIN ...]
Server certificate
subject=/CN=doc.rust-lang.org
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5583 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7921EB45A69A6274604045380B192AC5C299EDF2904EEDB9BE41EDFB13FE3D97
    Session-ID-ctx: 
    Master-Key: D4FEDF20153AEAE895F4DA13E402420641FD17B2B37A82E48C61B18519D9AAE243D06334CD4CA975ABB9AAC668AD1041
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 31 36 33 39 35 35 34 36-31 39 30 30 30 00 00 00   1639554619000...
    0010 - 4f a4 18 e8 bd 2e 83 40-60 38 81 d6 44 87 36 eb   O......@`8..D.6.
    0020 - 3c cf 7b 21 aa 93 9d 4c-6e 8e 02 04 fd c1 23 2d   <.{!...Ln.....#-
    0030 - 41 a5 4a 36 0b 87 1b 14-00 40 fb 8e 16 4d 3a 25   [email protected]:%
    0040 - f7 36 38 a2 8a f3 ec ca-19 c2 25 89 4a 05 e1 75   .68.......%.J..u
    0050 - f3 d1 67 eb b5 1f 21 5a-d1 ef d3 bb 93 ff b1 80   ..g...!Z........
    0060 - 39 de 45 ff ec 07 0d e0-9a                        9.E......

    Start Time: 1639558162
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

It seems that the SSL connection to remote does not work because of missing peer and client certificates

[tsmt09]

Update from my side (I will also close the ticket).

I involved the openSuSE support and found out there was a second openssl installation in /usr/local/bin instead of /usr/bin which was used.
I still don't know where that openssl version is coming from, I checked my package manager and it doesn't seem to be connected to any rpm/zypper package. It works for me now. Steps for me to fix it:

# mv /usr/local/bin/openssl /root/backup/openssl/bin/openssl
# mv /usr/local/ssl /root/backup/openssl/
# update-ca-certificates

I don't know if the last step is necessary, but after it I had everything working.

[kinnison]

Thank you @tsmt09 for letting us know what the solution was - hopefully this will help others who encounter similar looking issues.

[chinoto]

Had the same issue, I installed an old version of OpenSSL to get the Linux port of Garry's Mod working, but apparently that broke Rustup. I guess I'll have to stick it in a path that isn't automatically picked up.
Facepunch/garrysmod-issues#5056 (comment)

[surferwat]

Update from my side (I will also close the ticket).

I involved the openSuSE support and found out there was a second openssl installation in /usr/local/bin instead of /usr/bin which was used. I still don't know where that openssl version is coming from, I checked my package manager and it doesn't seem to be connected to any rpm/zypper package. It works for me now. Steps for me to fix it:

# mv /usr/local/bin/openssl /root/backup/openssl/bin/openssl
# mv /usr/local/ssl /root/backup/openssl/
# update-ca-certificates

I don't know if the last step is necessary, but after it I had everything working.

moving/usr/local/ssl to /root/backup/openssl/ worked for me.

Did you end up deleting the backup folder, /root/backup/openssl/, afterwards?

[philjb]

I ended up here because i had a matching error message as in these comments but my issue was that I had set SSL_CERT_FILE for testing purposes and forgot to unset it after the test. Worth checking SSL_CERT_FILE.

[SR-G]

It seems i have roughly the same error. But i'm at home / in local, without any proxy + certificates are up to date on my (archlinux) system.
In fact i try to install an AUR package (MDQ), locally compiling the rust source code ... and it's failing with that same kind of rustup error.

If i launch it manually in debut (outside AUR installation through YAY), then i see :

debug: read metadata version: '12'
debug: looking for installed toolchain 'stable-x86_64-unknown-linux-gnu'
info: using existing install for 'stable-x86_64-unknown-linux-gnu'
debug: installing toolchain 'stable-x86_64-unknown-linux-gnu'
debug: toolchain directory: '/home/users/sergio/.rustup/toolchains/stable-x86_64-unknown-linux-gnu'
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
debug: creating temp file: /home/users/sergio/.rustup/tmp/87zhxjjq5nx7ptne_file
debug: downloading file from: 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256'
debug: downloading with reqwest
error: failed to download file error=Reqwest(reqwest::Error { kind: Request, url: "https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) })
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/home/users/sergio/.rustup/tmp/87zhxjjq5nx7ptne_file'

Caused by:
    0: error downloading file
    1: error sending request for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256)
    2: client error (Connect)
    3: invalid peer certificate: UnknownIssuer

Again, my certificates (ca-certificates, etc.) are 100% installed ...
Also i can flawlessly download that file (= "https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256") from any browser

Any ideas ?

(this is nearly the only error i found about that "UnknownIssuer")

[rami3l]

(this is nearly the only error i found about that "UnknownIssuer")

@SR-G I have seen a similar issue in our CI (#3810) and it has been resolved exactly by installing the CA certs. It is also possible that your browser uses a different CA cert configuration than your CLI as discussed above... I'm not quite sure. So many local states are involved here, it seems to me.

cc @djc

[SR-G]

Mhh ok but still not sure how to solve that ...
On ARCH i've just installed the "ca-certificates-mozilla-3.111-1" AUR package (which seems to be similar to the "ca_root_nss" package discussed in #3810), but still the same error ...

Also, from the same CLI than where rustup is failing, a CURL or WGET (against the URL used by rustup) is perfectly working ...

wget "https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256"
--2025-05-08 11:56:08--  https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving static.rust-lang.org (static.rust-lang.org)... 151.101.130.137, 151.101.2.137, 151.101.194.137, ...
Connecting to static.rust-lang.org (static.rust-lang.org)|151.101.130.137|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [binary/octet-stream]
Saving to: ‘channel-rust-stable.toml.sha256’

channel-rust-stable.toml.sha256                             100%[========================================================================================================================================>]      91  --.-KB/s    in 0s      

2025-05-08 11:56:08 (25.1 MB/s) - ‘channel-rust-stable.toml.sha256’ saved [91/91]

It's like rustup was not using that /etc/ssl/certs path on ARCHLINUX, maybe ?

[djc]

Which version of rustup are you using? Can you run it with RUSTUP_LOG=trace?

Also please just file a new issue instead of reusing this closed one.

[SR-G]

"rustup" is installed on my system with AUR package, so should be up-to-date (i would say) :

rustup --version
rustup 1.28.2 (2025-05-05)
info: This is the version for the rustup toolchain manager, not the rustc compiler.
info: No `rustc` is currently active

whereis rustup
rustup: /usr/bin/rustup /usr/lib/rustup

(second one is of course a folder)

Ok opening a new issue. Done : #4325