Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SSL peer cerficate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate) in Rust - Cargo. #339

Closed
rodrgz opened this issue Sep 27, 2021 · 18 comments
Labels
bug Something isn't working

Comments

@rodrgz
Copy link

rodrgz commented Sep 27, 2021

I was trying to install some packages with cargo and I found this error:
SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)
when cargo was trying to download from crates.io, so then the build failed.

I also tried installing some rust packages from community repo and I found the same error. I ran /etc/ssl/update-certdata.sh and the issue continued.

@dylanaraps dylanaraps added bug Something isn't working can't reproduce labels Sep 28, 2021
@dylanaraps
Copy link
Member

I cannot reproduce this issue.

  • Do other websites work on your machine?
  • When did this start happening? Did it work before?
  • Is there any other information that may help?

@rodrgz
Copy link
Author

rodrgz commented Sep 28, 2021

I cannot reproduce this issue.

* Do other websites work on your machine?

* When did this start happening? Did it work before?

* Is there any other information that may help?

Yes, other websites works normally.
I've been trying kiss linux in the last 5 days, I installed it on a virtual machine and on my laptop, so I have not tried other versions of the repo that is not the current.
Yes, today I chrooted a new vm, update kiss and reproduce the same issue with rust and openssl... Then I downgraded openssl to 1.1.1l 2 (commit a2e2958) and recompile rust, then the issue disappeared.

ps. Fedora 35 and Arch are using 1.1.1.l

@dylanaraps
Copy link
Member

Please send exact error output from cargo/rust (whatever is spitting it out).

@git-bruh
Copy link

git-bruh commented Oct 4, 2021

'export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem' should fix it, not sure why it's having trouble locating the certs. https://doc.rust-lang.org/cargo/reference/config.html#httpcainfo. Error: https://termbin.com/fa9g, strace: https://termbin.com/qg5t

@rodrgz
Copy link
Author

rodrgz commented Oct 4, 2021

export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem

It's works.

@rodrgz rodrgz closed this as completed Oct 4, 2021
@git-bruh
Copy link

git-bruh commented Oct 4, 2021

I think the issue should be left open since what I posted was just a workaround

@dylanaraps
Copy link
Member

'export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem' should fix it, not sure why it's having trouble locating the certs. https://doc.rust-lang.org/cargo/reference/config.html#httpcainfo. Error: https://termbin.com/fa9g, strace: https://termbin.com/qg5t

In your strace is seems to find the files in /etc/ but then fails anyway?

@dylanaraps
Copy link
Member

This error seems to be coming indirectly from libcurl also(?).

@dylanaraps dylanaraps reopened this Oct 5, 2021
@dylanaraps
Copy link
Member

dylanaraps commented Oct 5, 2021

The first 2000 lines of strace output (both with CARGO_HTTP_CAINFO and without) seem to correctly find, open, read and close the /etc/ssl/cert.pem file. Interestingly in the working case the cert.pem file is opened and read from many more times. This does not occur in the broken case. Makes me think it correctly finds the certificates the first time but fails every subsequent time for some reason.

For the record, debug output from Cargo is not very helpful here.

@dylanaraps
Copy link
Member

dylanaraps commented Oct 5, 2021

More oddities:

->  ltrace -e getenv cargo build
libcrypto.so.3->getenv("OPENSSL_ia32cap")                                           = nil
libcrypto.so.3->getenv("OPENSSL_CONF")                                              = nil
libcrypto.so.3->getenv("SSL_CERT_FILE")                                             = "/etc/ssl/cert.pem"
libcrypto.so.3->getenv("SSL_CERT_DIR")                                              = "/etc/ssl/certs"
libcrypto.so.3->getenv("SSL_CERT_DIR")                                              = "/etc/ssl/certs"
--- SIGCHLD (Child process status) ---
--- SIGCHLD (Child process status) ---
--- SIGCHLD (Child process status) ---
 Downloading crates ...
error: failed to download from `https://crates.io/api/v1/crates/ansi_term/0.11.0/download`

Caused by:
  [60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)```

@dylanaraps
Copy link
Member

I have manually updated the openssl and curl crates and rebuilt rust but the issue persists. Another thing I have noticed is that cargo can correctly download the registry but not crates.

@dylanaraps
Copy link
Member

Working on another potential fix. Will have results to share in some hours.

@echawk
Copy link

echawk commented Oct 7, 2021

I don't know if it's related, but I get a similar issue with nim's nimble package manager. After a fresh build of nim, and attempting to run nimble, I get the following:

[ethan nim] (master)% nimble 
could not import: SSL_get_peer_certificate 

I'm using the nim package from my personal repo.

This also affects nim programs that use ssl.

Ex: (ex.nim)

import httpclient
var client = newHttpClient()
echo client.getContent("https://github.com")

And compiling with: nim -d:ssl c ex.nim results in the same output as nimble.

@dylanaraps
Copy link
Member

Can you reproduce the issue with OpenSSL 1.1.1l?

@echawk
Copy link

echawk commented Oct 8, 2021

I get a different error than before, now it seems like it is unable to detect the ca-certificates.

For nimble refresh --verbose:

Downloading Official package list 
     Trying https://github.com/nim-lang/packages/raw/master/packages.json 
   Warning: Could not download: No SSL/TLS CA certificates found. 
     Trying https://irclogs.nim-lang.org/packages.json 
     Trying https://nim-lang.org/nimble/packages.json 
     Error: Refresh failed 
        ... Could not download: No SSL/TLS CA certificates found. 

For ex.nim:

/usr/lib/nim/pure/httpclient.nim(557) ex
/usr/lib/nim/pure/httpclient.nim(324) getDefaultSSL
/usr/lib/nim/pure/net.nim(658) newContext
Error: unhandled exception: No SSL/TLS CA certificates found. [IOError]

It may be an error with my port.

@git-bruh
Copy link

git-bruh commented Oct 8, 2021

@ehawkvu Can you try 'mkdir /etc/ssl/certs/; ln -s ../cert.pem /etc/ssl/certs/ca-certificates.crt

@echawk
Copy link

echawk commented Oct 8, 2021

@git-bruh

Both worked (1.1.1l).

nimble:

Downloading Official package list
     Trying https://github.com/nim-lang/packages/raw/master/packages.json
    Success Package list downloaded.

@echawk
Copy link

echawk commented Oct 8, 2021

Rebuilding nim after upgrading back to openssl 3.0.0 results in the same error as before.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working
Development

No branches or pull requests

4 participants