Adding package failure due to invalid SSL certificate

Hello,
Installing packages always fails due to ssl certificate related errors.
My os: ubuntu 16.04
I have disabled git certification check:

git config http.sslVerify false

Have tried the follows without luck:

julia> using LibGit2
julia> LibGit2.set_ssl_cert_locations("/etc/ssl/certs/ca-certificates.crt")
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export GIT_SSL_CAINFO=/home/abc/julia-1.4.0/share/julia/cert.pem
julia> using Pkg
julia> Pkg.add("Flux")
   Updating registry at `~/.julia/registries/General`
   Updating git-repo `https://github.com/JuliaRegistries/General.git`

┌ Warning: Some registries failed to update:
│     — /development/x00406353/.julia/registries/General — failed to fetch from repo
â”” @ Pkg.Types /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Types.jl:1122
  Resolving package versions...
    Cloning [587475ba-b771-5e3f-ad9e-33799f191a9c] Flux from https://github.com/FluxML/Flux.jl.git
ERROR: failed to clone from https://github.com/FluxML/Flux.jl.git, error: GitError(Code:ECERTIFICATE, Class:SSL, the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA)
Stacktrace:
 [1] pkgerror(::String) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Types.jl:53
 [2] clone(::Pkg.Types.Context, ::String, ::String; header::String, credentials::Nothing, kwargs::Base.Iterators.Pairs{Symbol,Bool,Tuple{Symbol},NamedTuple{(:isbare,),Tuple{Bool}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/GitTools.jl:149
 [3] #ensure_clone#3 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/GitTools.jl:110 [inlined]
 [4] install_git(::Pkg.Types.Context, ::Base.UUID, ::String, ::Base.SHA1, ::Array{String,1}, ::VersionNumber, ::String) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:555
 [5] download_source(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}, ::Dict{Base.UUID,Array{String,1}}; readonly::Bool) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:714
 [6] #download_source#39 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:633 [inlined]
 [7] download_source at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:631 [inlined]
 [8] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}, ::Array{Base.UUID,1}; preserve::Pkg.Types.PreserveLevel, platform::Pkg.BinaryPlatforms.Linux) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:1080
 [9] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}; preserve::Pkg.Types.PreserveLevel, platform::Pkg.BinaryPlatforms.Linux, kwargs::Base.Iterators.Pairs{Union{},Union{},Tuple{},NamedTuple{(),Tuple{}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:159
 [10] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:112
 [11] #add#27 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:109 [inlined]
 [12] add at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:109 [inlined]
 [13] #add#24 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:107 [inlined]
 [14] add at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:107 [inlined]
 [15] add(::String; kwargs::Base.Iterators.Pairs{Union{},Union{},Tuple{},NamedTuple{(),Tuple{}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:106
 [16] add(::String) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:106
 [17] top-level scope at REPL[2]:1
caused by [exception 1]
GitError(Code:ECERTIFICATE, Class:SSL, the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA)
Stacktrace:
 [1] macro expansion at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/LibGit2/src/error.jl:101 [inlined]
 [2] clone(::String, ::String, ::LibGit2.CloneOptions) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/LibGit2/src/repository.jl:459
 [3] clone(::String, ::String; branch::String, isbare::Bool, remote_cb::Ptr{Nothing}, credentials::LibGit2.CachedCredentials, callbacks::Dict{Symbol,Tuple{Ptr{Nothing},Any}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/LibGit2/src/LibGit2.jl:580
 [4] clone(::Pkg.Types.Context, ::String, ::String; header::String, credentials::Nothing, kwargs::Base.Iterators.Pairs{Symbol,Bool,Tuple{Symbol},NamedTuple{(:isbare,),Tuple{Bool}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/GitTools.jl:141
 [5] #ensure_clone#3 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/GitTools.jl:110 [inlined]
 [6] install_git(::Pkg.Types.Context, ::Base.UUID, ::String, ::Base.SHA1, ::Array{String,1}, ::VersionNumber, ::String) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:555
 [7] download_source(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}, ::Dict{Base.UUID,Array{String,1}}; readonly::Bool) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:714
 [8] #download_source#39 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:633 [inlined]
 [9] download_source at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:631 [inlined]
 [10] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}, ::Array{Base.UUID,1}; preserve::Pkg.Types.PreserveLevel, platform::Pkg.BinaryPlatforms.Linux) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Operations.jl:1080
 [11] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}; preserve::Pkg.Types.PreserveLevel, platform::Pkg.BinaryPlatforms.Linux, kwargs::Base.Iterators.Pairs{Union{},Union{},Tuple{},NamedTuple{(),Tuple{}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:159
 [12] add(::Pkg.Types.Context, ::Array{Pkg.Types.PackageSpec,1}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:112
 [13] #add#27 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:109 [inlined]
 [14] add at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:109 [inlined]
 [15] #add#24 at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:107 [inlined]
 [16] add at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:107 [inlined]
 [17] add(::String; kwargs::Base.Iterators.Pairs{Union{},Union{},Tuple{},NamedTuple{(),Tuple{}}}) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:106
 [18] add(::String) at /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/API.jl:106
 [19] top-level scope at REPL[2]:1

Can anybody help?
Thanks.

I can only guess here, but maybe you need to update your root certificates. On Ubuntu you would do this with sudo update-ca-certificates.
Which system do you have?
If you try to clone https://github.com/FluxML/Flux.jl.git from the shell, what happens?
git clone https://github.com/FluxML/Flux.jl.git

1 Like

Thanks.
After running “sudo update-ca-certificates”, the same problem remains.
And, I can run “git clone https://github.com/FluxML/Flux.jl.git” without any problem (the repository is correctly downloaded).

Do you mean OS? I am using ubuntu 16.04.

LibGit2 seems to ignore the configuration with

git config http.sslVerify false

and other sources.

Here

it is suggested to set an environment variable:

export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

But I think the way to go is using a callback as described here:
https://docs.julialang.org/en/v1/stdlib/LibGit2/#LibGit2.ProxyOptions

Searching and try and error with Copy&Paste lead me to:

julia> using LibGit2

julia> function certNoCheck() return 0; end
certNoCheck (generic function with 1 method)

julia> const cb = @cfunction(certNoCheck,Cint,())
Ptr{Nothing} @0x000000002eee4c10

julia> LibGit2.ProxyOptions(certificate_cb=cb)
LibGit2.ProxyOptions(0x00000001, LibGit2.Consts.PROXY_AUTO, Cstring(0x0000000000000000), Ptr{Nothing} @0x0000000000000000, Ptr{Nothing} @0x000000002eee4c10, Ptr{Nothing} @0x0000000000000000)

But I have no idea if this is working at all nor if it provides the “no cert validation” for the package managers use of LibGit2.

I think if this doesn’t work, I am out of options and someone else must fill in. You may consider pinging Stefan Karpinski (Author of Pkg3). @(delete space to ping)StefanKarpinski

1 Like

If possible, my standard approach would be simply upgrading the Ubuntu release to something more recent first. Eg Ubuntu 18.04 if an LTS is required. Or 20.04 (technically unreleased, but available).

1 Like

Thanks. You mean that upgrading to 18.04 fix this problem? I will try it if so.

1 Like

I just learned that

doesnt download new root certificates.
You have to download the root certifcate, put it into

/etc/ssl/certs/

and then run update-ca-certificates
https://www.digicert.com/digicert-root-certificates.htm

Upgrading Ubuntu would be the best if possible.

I don’t know, but I would try first, before trying to debug this further.

Thanks. Not work. The error remains.

@StefanKarpinski
Can you please have a look at my problem?

https://www.digicert.com/digicert-root-certificates.htm

Looks like the page provides lots of certificates. Do I need to download all of them or a certain one? If the latter, which one? I googled around on this problem and didn’t find an answer.
Thanks.

You can check the certificate of github with a browser.
I would say you need at least from root:
DigiCert High Assurance EV Root CA
and from intermediate:
DigiCert SHA2 Extended Validation Server CA

But remember, it is not clear (at least for me) how to tell libGit2 to use your system certs. We are still in try and error mode.

1 Like

Ok. Thank you.

@ Tamas_Papp
@ oheil

Largely solve the problem by clone the latest code and build it myself. Some packages still cannot be automatically downloaded and installed due to curl related certificate problems though.

@ Tamas_Papp
@ oheil

The error turns to this. Can anybody help?

┌ Error: Error building `CodecZlib`:
│ [ Info: Downloading https://github.com/bicycle1885/ZlibBuilder/releases/download/v1.0.4/Zlib.v1.2.11.x86_64-linux-gnu.tar.gz to /development/x00406353/.julia/packages/CodecZlib/5t9zO/deps/usr/
downloads/Zlib.v1.2.11.x86_64-linux-gnu.tar.gz...
│ ERROR: LoadError: Could not download https://github.com/bicycle1885/ZlibBuilder/releases/download/v1.0.4/Zlib.v1.2.11.x86_64-linux-gnu.tar.gz to /development/x00406353/.julia/packages/CodecZli
b/5t9zO/deps/usr/downloads/Zlib.v1.2.11.x86_64-linux-gnu.tar.gz:
│ ErrorException("")
│ Stacktrace:
│  [1] error(::String) at ./error.jl:33
│  [2] download(::String, ::String; verbose::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/PlatformEngines.jl:502
│  [3] download_verify(::String, ::String, ::String; verbose::Bool, force::Bool, quiet_download::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/PlatformEngines.jl:571
│  [4] install(::String, ::String; prefix::Prefix, tarball_path::String, force::Bool, ignore_platform::Bool, verbose::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/Pre
fix.jl:314
│  [5] top-level scope at /development/x00406353/.julia/packages/CodecZlib/5t9zO/deps/build.jl:89
│  [6] include(::String) at ./client.jl:457
│  [7] top-level scope at none:5
│ in expression starting at /development/x00406353/.julia/packages/CodecZlib/5t9zO/deps/build.jl:78
│ caused by [exception 1]
│
│ Stacktrace:
│  [1] error() at ./error.jl:42
│  [2] download(::String, ::String; verbose::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/PlatformEngines.jl:496
│  [3] download_verify(::String, ::String, ::String; verbose::Bool, force::Bool, quiet_download::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/PlatformEngines.jl:571
│  [4] install(::String, ::String; prefix::Prefix, tarball_path::String, force::Bool, ignore_platform::Bool, verbose::Bool) at /development/x00406353/.julia/packages/BinaryProvider/kcGxO/src/Pre
fix.jl:314
│  [5] top-level scope at /development/x00406353/.julia/packages/CodecZlib/5t9zO/deps/build.jl:89
│  [6] include(::String) at ./client.jl:457
│  [7] top-level scope at none:5
│ [15:21:11]
│ [15:21:11] curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
│ [15:21:11] More details here: http://curl.haxx.se/docs/sslcerts.html
│ [15:21:11]
│ [15:21:11] curl performs SSL certificate verification by default, using a "bundle"
│ [15:21:11]  of Certificate Authority (CA) public keys (CA certs). If the default
│ [15:21:11]  bundle file isn't adequate, you can specify an alternate file
│ [15:21:11]  using the --cacert option.
│ [15:21:11] If this HTTPS server uses a certificate signed by a CA represented in
│ [15:21:11]  the bundle, the certificate verification probably failed due to a
│ [15:21:11]  problem with the certificate (it might be expired, or the name might
│ [15:21:11]  not match the domain name in the URL).
│ [15:21:11] If you'd like to turn off curl's verification of the certificate, use
│ [15:21:11]  the -k (or --insecure) option.

For this we Sijun already found a solution:

Important: do this fix only temporary!

For what its worth, I found this workaround to add the check certificate option to wget:

echo "check_certificate = off" >> ~/.wgetrc