Go package installation failing for unknown certificate authority - go

I'm attempting to install a Go module from bitbucket as follows:
go get bitbucket.org/kardianos/osext
But I receive the following error:
package bitbucket.org/kardianos/osext: Get https://api.bitbucket.org/1.0/repositories/kardianos/osext: x509: certificate signed by unknown authority
Google lead me to the instructions at this post, which I have followed by editing /etc/mercurial/hgrc to contain:
[web]
cacerts = /etc/ssl/certs/ca-certificates.crt
as instructed for my OS (Debian), however I still receive the same error.
what else can I do?

it looks like I'm still using 1.0.2 (the version provided with Debian wheezy)
Considering that this looks like a Go 1.0 bug, the first thing to check is to upgrade Go to 1.3+.
net/http: use tls host instead of proxy, when checking against a certificate
That could solve the certificate issue.
Golang Debian packages mentions 1.3.2 (but for Debian Jessie, not wheezy)
You can follow "How to install Golang 1.1(+) in Debian from repository " for more.
(Done after "How can I run Debian stable but install some packages from testing?")

Related

Error trying to run rbenv install 2.5.1

I'm trying to install ruby using rubenv but i'm running into following error:
rbenv install 2.5.1 -v
/tmp/ruby-build.20180525142355.3872 ~
Downloading ruby-2.5.1.tar.bz2...
-> https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.bz2
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: failed to download ruby-2.5.1.tar.bz2
BUILD FAILED (Ubuntu 18.04 using ruby-build 20180424)
I'm using Windows 10 Subsytem for Linux. Issue seems to be related to certs but i don't know how to go around it.

Can't add Vagrant scotchbox

I am facing issues while setting up the scotch box on my system. The OS I am using is Windows 8.1 pro 64 bit operating system, using git bash.
$ vagrant --version
Vagrant 1.8.6
VirtualBox-5.1.6
After cloning the repo from github for scotch box I do vagrant up as mentioned in the notes. It gives me the following error:
$ vagrant up
default: An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.
SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I have tried the insecure options, which gives me this error:
bsdtar.EXE: Error opening archive: Unrecognized archive format
Also I have tried reinstalling vagrant, and virtual box but no luck.
Found an alternative way of doing this, added scotch box manually, add vagrant box manually and then cloned the scotch-repo. modified the vagrant file as per the repo, and did vagrant up. It worked fine, but still have raised this issue on github as well.

Issues during wget of sonarqube

I am trying to install SonarQube server on Ubuntu14.04 system.
When I do
wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-5.3.zip
i am getting certificate error which says
ERROR: cannot verify akamai.bintray.com's certificate, issued by ‘/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2’:
Unable to locally verify the issuer's authority.
I have tried installing the certificate using openssl, still I am unable to get the binaries. I have also updated the ca-certificates using update-ca-certificates, but with no luck.
Can anyone help me on this?
As a workaround:
https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-5.3.zip
redirects to
https://akamai.bintray.com/4e/4e61ee3a01d5e447bcd64357df77e0377325c4a2bb5ceb2cdeb5a5d193443ba5?__gda__=exp=1471600642~hmac=2b041a2929611ac66b6e703c87e0f08a939a5f4cf7a2b9ffa2d7ba3e5a2d7f3e&response-content-disposition=attachment%3Bfilename%3D%22sonarqube-5.3.zip
which seems to be available over HTTP.
So you can try:
wget "http://akamai.bintray.com/4e/4e61ee3a01d5e447bcd64357df77e0377325c4a2bb5ceb2cdeb5a5d193443ba5?__gda__=exp=1471600642~hmac=2b041a2929611ac66b6e703c87e0f08a939a5f4cf7a2b9ffa2d7ba3e5a2d7f3e&response-content-disposition=attachment%3Bfilename%3D%22sonarqube-5.3.zip"

Certificate signed by unknown authority

Im running ngrok for development on a windows 7 machine. i installed conda to work with python 2.7 and first pip was not working it keeps throwing a certificate error. i "fixed" the pip install by download the package and running setup.py.
now the issue is that when i run ngrok i get the following error:
Tunnel Status reconnecting (x509: certificate signed by unknown authority)
Version 2.1.3
Region United States (us)
im not sure what is wrong or how to go abut fixing this error on Windows 7.
This is a sign that your network (likely a corporate network) is attempting to MITM the outbound TLS connection that the ngrok agent makes to the ngrok edge, which ngrok does not allow.

How to fix curl: (60) SSL certificate: Invalid certificate chain

I get the following error running curl https://npmjs.org/install.sh | sh on Mac OSX 10.9 (Mavericks):
install npm#latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
How do I fix this?
First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curl with
curl -k https://insecure.url/content-i-really-really-trust
Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org
Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.
Curl should now work with that URL correctly.
NOTE: This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.
For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc
With the contents
--insecure
This will cause curl to ignore SSL certificate problems by default.
Make sure you delete the file when done.
UPDATE
12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.
The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.
https://blog.digicert.com/expired-intermediate-certificate/
I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.
After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.
When I initiate a brew update, I was getting the following error:
fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master
I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):
git config --global http.sslVerify false
I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.
I tried rvm osx-ssl-certs update all which stated Already are up to date.
In Safari, I visited https://github.com and attempted to set the certificate manually, but Safari did not present the options to trust the certificate.
Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feels wrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.
On MacOS High Sierra/10.13:
~$brew install curl ca-certificates
works like a charm for me.
Another cause of this can be duplicate keys in your KeyChain. I've seen this problem on two macs where there were duplicate "DigiCert High Assurance EV Root CA". One was in the login keychain, the other in the system one. Removing the certificate from the login keychain solved the problem.
This affected Safari browser as well as git on the command line.
Let's say you try to download something using curl or install hub
using brew, then, you get an error like:
==> Downloading https://ghcr.io/v2/linuxbrew/core/ncurses/manifests/6.2
curl: (60) SSL certificate problem: unable to get local issuer certificate
Then, let ghcr.io being the server, execute following commands:
cd ~
# Download the cert:
openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > cacert.pem
# type "quit", followed by the "ENTER" key / or Ctrl+C
# see the data in the certificate:
openssl x509 -inform PEM -in cacert.pem -text -out certdata-ghcr.io.txt
# move the file to certificate store directory:
sudo mv cacert.pem /usr/local/share/ca-certificates/cacert-ghcr.io.crt
# update certificates
sudo update-ca-certificates
# done !
References
SSL Certificate Verification
Snippet
After attempting all of the above solutions to eliminate the "curl: (60) SSL certificate problem: unable to get local issuer certificate" error, the solution that finally worked for me on OSX 10.9 was:
Locate the curl certificate PEM file location
'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem
Use the folder location to identify the PEM file
'cd /usr/local/etc/openssl'
Create a backup of the cert.pem file
'cp cert.pem cert_pem.bkup'
Download the updated Certificate file from the curl website
'sudo wget http://curl.haxx.se/ca/cacert.pem'
Copy the downloaded PEM file to replace the old PEM file
'cp cacert.pem cert.pem'
This is a modified version of a solution posted to correct the same issue in Ubuntu found here:
https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle
I started seeing this error after installing the latest command-line tools update (6.1) on Yosemite (10.10.1). In this particular case, a reboot of the system fixed the error (I had not rebooted since the update).
Mentioning this in case anyone with the same problem comes across this page, like I did.
In some systems like your office system, there is sometimes a firewall/security client that is installed for security purpose. Try uninstalling that and then run the command again, it should start the download.
My system had Netskope Client installed and was blocking the ssl communication.
Search in finder -> uninstall netskope, run it, and try installing homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
PS: consider installing the security client.
If you are behind a corporate firewall like Palo Alto it will intercept all TLS/SSL traffic, inspect it and re-encrypt it using its own using self-signed certificates. Although these certificates will typically be available on your workstation, the various programs like npm, Git, curl, etc. will not inherit them from the workstation.
If you are working in an enterprise do not use the -k or --insecure option because this turns of the TLS/SSL encryption completely and opens up you and your organization to compromise
The solution is to add this self signed certificate to the specific certificate chain that is used by the program you are trying to use. I have included a link to Adrian Escutia Soto's answer which is the best way of addressing this. Unfortunately, I cannot comment or upvote on it because I don't have enough reputation points

Resources