BADCERT_NOT_TRUSTED error while updating the Registry?

General Usage
, ,
1

Hello!

Can I update the registry in my computer manually? The usual way errors for me.

(@v1.11) pkg> up
┌ Warning: could not download https://pkg.julialang.org/registries
│   exception = RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
└ @ Pkg.Registry ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Pkg/src/Registry/Registry.jl:77
    Updating registry at `~/.julia/registries/General.toml`
  No Changes to `~/.julia/environments/v1.11/Project.toml`
  No Changes to `~/.julia/environments/v1.11/Manifest.toml`

More info:

  • I am in a corporate laptop
  • WSL
  • Julia v1.11rc3
2

No response yet, but I could update it because my installation of Julia 1.10.4 in Windows worked. I copied the General.tar.gz and General.toml from there and substituted them in .julia/registries/ in WSL.

If anyone can help solving the BADCERT_NOT_TRUSTED it’d be amazing.

3

I think Pkg uses curl for downloads, so you may try to configure curl like:

echo insecure >> $HOME/.curlrc

means, adding a line with insecure in file ~/.curlrc

Let us know if this resolves your certificate issue.

4

Hi! Thanks for the answer.
Unfortunately, the problem remains (I rebooted the entire WSL just to be sure).

Current status

Just to confirm, this is the status in my corporate laptop:

Not working:

  • WSL 22.04, Julia v1.11.0-rc3
  • WSL 22.04, Julia v1.10.5
  • WSL 22.04, Julia v1.10.4
  • Windows, Julia v1.11.0-rc3

Working

  • Windows, Julia v1.10.4

Error messages

Depending on the Julia version, it errors on different lines and it provides more information about the nature of the error. It seems that v1.11 fails on Registry.jl:77 and v1.10 on Registry.jl:69. I think it is related to the version of Pkg. Also, the error message in WSL is more descriptive than in Windows.

# Julia v1.11.0-rc3  (WSL)

(@v1.11) pkg> up
┌ Warning: could not download https://pkg.julialang.org/registries
│   exception = RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
└ @ Pkg.Registry ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Pkg/src/Registry/Registry.jl:77

# Julia v1.10.5 and v1.10.4 (WSL)

(@v1.10) pkg> up
┌ Warning: could not download https://pkg.julialang.org/registries
│   exception = RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
└ @ Pkg.Registry ~/.julia/juliaup/julia-1.10.5+0.x64.linux.gnu/share/julia/stdlib/v1.10/Pkg/src/Registry/Registry.jl:69

# Julia v1.11-rc3 (Windows)

(@v1.11) pkg> up
┌ Warning: could not download https://pkg.julialang.org/registries
│   exception = RequestError: Failure when receiving data from the peer while requesting https://pkg.julialang.org/registries
└ @ Pkg.Registry C:\Users\fcpv\.julia\juliaup\julia-1.11.0-rc3+0.x64.w64.mingw32\share\julia\stdlib\v1.11\Pkg\src\Registry\Registry.jl:77
5

The problem seems to be only updating the Registry. If I update the files manually, I can download and install the latest version packages without problem using ] add xxx.

By the way, I can confirm that my WSL installation can connect to the Internet and download files, because this works as expected:

fcpv@ltfcpv:~$ wget https://pkg.julialang.org/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285

--2024-09-06 10:52:31--  https://pkg.julialang.org/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285
Resolving pkg.julialang.org (pkg.julialang.org)... 151.101.134.217
Connecting to pkg.julialang.org (pkg.julialang.org)|151.101.134.217|:443... connected.
HTTP request sent, awaiting response... 301 EU internal redirect trigger
Location: https://eu-central.pkg.julialang.org/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285 [following]

--2024-09-06 10:52:31--  https://eu-central.pkg.julialang.org/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285
Resolving eu-central.pkg.julialang.org (eu-central.pkg.julialang.org)... 52.57.14.183
Connecting to eu-central.pkg.julialang.org (eu-central.pkg.julialang.org)|52.57.14.183|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://storage.julialang.net/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285 [following]

--2024-09-06 10:52:31--  https://storage.julialang.net/registry/23338594-aafe-5451-b93e-139f81909106/c13c85f7ad6ebfd58fc01e215f0bc89e1442e285
Resolving storage.julialang.net (storage.julialang.net)... 104.26.13.204, 172.67.71.159, 104.26.12.204
Connecting to storage.julialang.net (storage.julialang.net)|104.26.13.204|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8045321 (7.7M) [binary/octet-stream]
Saving to: ‘c13c85f7ad6ebfd58fc01e215f0bc89e1442e285’

c13c85f7ad6ebfd58fc01e215f0bc89e1 100%[==========================================================>]   7.67M  1.53MB/s    in 7.1s

2024-09-06 10:52:51 (1.08 MB/s) - ‘c13c85f7ad6ebfd58fc01e215f0bc89e1442e285’ saved [8045321/8045321]

And this downloads the latest version of the Registry.

6

Can you check:

julia> using Downloads

julia> Downloads.download("https://pkg.julialang.org/registries", "test_download.txt")
"test_download.txt"
7

Yup:

(@v1.11) pkg> activate --temp
  Activating new project at `/tmp/jl_RXTFx5`

julia> using Downloads

julia> Downloads.download("https://pkg.julialang.org/registries", "test_download.txt")
ERROR: RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
Stacktrace:
  [1] (::Downloads.var"#9#18"{…})(easy::Downloads.Curl.Easy)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:413
  [2] with_handle(f::Downloads.var"#9#18"{…}, handle::Downloads.Curl.Easy)
    @ Downloads.Curl ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Curl/Curl.jl:95
  [3] #8
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:354 [inlined]
  [4] arg_write(f::Downloads.var"#8#17"{…}, arg::IOStream)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:134
  [5] #7
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:353 [inlined]
  [6] arg_read
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:76 [inlined]
  [7] request(url::String; input::Nothing, output::IOStream, method::Nothing, headers::Vector{…}, timeout::Float64, progress::Nothing, verbose::Bool, debug::Nothing, throw::Bool, downloader::Nothing)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:352
  [8] request
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:320 [inlined]
  [9] #3
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:258 [inlined]
 [10] open(f::Downloads.var"#3#4"{…}, args::String; kwargs::@Kwargs{…})
    @ Base ./io.jl:410
 [11] open_nolock
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:35 [inlined]
 [12] arg_write(f::Function, arg::String)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:103
 [13] #download#2
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:257 [inlined]
 [14] download(url::String, output::String)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:246
 [15] top-level scope
    @ REPL[3]:1
Some type information was truncated. Use `show(err)` to see complete types.
8

Full error:

julia> show(err)
1-element ExceptionStack:
RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
Stacktrace:
  [1] (::Downloads.var"#9#18"{IOStream, Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Nothing, Bool, Nothing, Bool, String, Bool, Bool})(easy::Downloads.Curl.Easy)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:413
  [2] with_handle(f::Downloads.var"#9#18"{IOStream, Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Nothing, Bool, Nothing, Bool, String, Bool, Bool}, handle::Downloads.Curl.Easy)
    @ Downloads.Curl ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Curl/Curl.jl:95
  [3] #8
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:354 [inlined]
  [4] arg_write(f::Downloads.var"#8#17"{Base.DevNull, Nothing, Vector{Pair{String, String}}, Float64, Nothing, Bool, Nothing, Bool, String, Bool, Bool}, arg::IOStream)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:134
  [5] #7
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:353 [inlined]
  [6] arg_read
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:76 [inlined]
  [7] request(url::String; input::Nothing, output::IOStream, method::Nothing, headers::Vector{Pair{String, String}}, timeout::Float64, progress::Nothing, verbose::Bool, debug::Nothing, throw::Bool, downloader::Nothing)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:352
  [8] request
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:320 [inlined]
  [9] #3
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:258 [inlined]
 [10] open(f::Downloads.var"#3#4"{Nothing, Vector{Pair{String, String}}, Float64, Nothing, Bool, Nothing, Nothing, String}, args::String; kwargs::@Kwargs{write::Bool, lock::Bool})
    @ Base ./io.jl:410
 [11] open_nolock
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:35 [inlined]
 [12] arg_write(f::Function, arg::String)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:103
 [13] #download#2
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:257 [inlined]
 [14] download(url::String, output::String)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:246
 [15] top-level scope
    @ REPL[3]:1
9

Now please:

julia> Downloads.download("https://pkg.julialang.org/registries", 
"test_download.txt"; verbose = true)

gives lengthy information.

10

For what it’s worth, the package installation probably tries and fails to do a package server download, then falls back to fetching from GitHub.

It would be better to solve the certificate problems but if nothing works you can try to set the environment variable JULIA_PKG_SERVER to an empty string, to force Pkg to install the registry as a git clone. To make that change effective you need to remove and re-add the registry with

pkg> registry rm General
pkg> registry add General

(That’s also necessary if you want to switch back to a registry from a package server.)

1 Like
11 
julia> Downloads.download("https://pkg.julialang.org/registries", "test_download.txt"; verbose= true)
* Couldn't find host pkg.julialang.org in the .netrc file; using defaults
* Host pkg.julialang.org:443 was resolved.
* IPv6: (none)
* IPv4: 151.101.134.217
*   Trying 151.101.134.217:443...
* Connected to pkg.julialang.org (151.101.134.217) port 443
* mbedTLS: Connecting to pkg.julialang.org:443
* mbedTLS: Set min SSL version to TLS 1.0
* ALPN: curl offers h2,http/1.1
* mbedTLS: Handshake complete, cipher is TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
* Cert verify failed: BADCERT_NOT_TRUSTED
* Closing connection
ERROR: RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
Stacktrace:
  [1] (::Downloads.var"#9#18"{…})(easy::Downloads.Curl.Easy)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:413
  [2] with_handle(f::Downloads.var"#9#18"{…}, handle::Downloads.Curl.Easy)
    @ Downloads.Curl ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Curl/Curl.jl:95
  [3] #8
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:354 [inlined]
  [4] arg_write(f::Downloads.var"#8#17"{…}, arg::IOStream)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:134
  [5] #7
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:353 [inlined]
  [6] arg_read
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:76 [inlined]
  [7] request(url::String; input::Nothing, output::IOStream, method::Nothing, headers::Vector{…}, timeout::Float64, progress::Nothing, verbose::Bool, debug::Nothing, throw::Bool, downloader::Nothing)
    @ Downloads ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:352
  [8] request
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:320 [inlined]
  [9] #3
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:258 [inlined]
 [10] open(f::Downloads.var"#3#4"{…}, args::String; kwargs::@Kwargs{…})
    @ Base ./io.jl:410
 [11] open_nolock
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:35 [inlined]
 [12] arg_write(f::Function, arg::String)
    @ ArgTools ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/ArgTools/src/ArgTools.jl:103
 [13] #download#2
    @ ~/.julia/juliaup/julia-1.11.0-rc3+0.x64.linux.gnu/share/julia/stdlib/v1.11/Downloads/src/Downloads.jl:257 [inlined]
 [14] top-level scope
    @ REPL[2]:1
Some type information was truncated. Use `show(err)` to see complete types.
12

Yeah, I am also in favor of solving the certificate problems. But I don’t know why Windows v1.10.4 succeeds and the rest does not.

Is the certificate not the same for all of them?

13

The certificate problem would be not a Julia issue, and for this you have to check your WSL system for outdated SSL root and intermediate certifcates. pkg.julialang.org uses LetsEncrypt (E6) (at least for europe), you may check this site:Chains of Trust - Let's Encrypt but it seems a bit difficult. What Linux do you have in your WSL? Google for updating certificates for this Linux. For debian it would be sudo update-ca-certificates for example.

Another source could be an outdated curl version on you WSL. Run curl -V in a WSL shell.

My approach would be to try to convince Pkg and Downloads.download to not check the certificate, but I didn’t found a way yet.

1 Like
14

Can you try the following:

julia> using Pkg

julia> using Downloads: Downloads, Curl, download

julia> Downloads.EASY_HOOK[] = (easy, info) -> begin
           Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYPEER, false)
       end
#1 (generic function with 1 method)

julia> Pkg.update()
2 Likes
15

I have tried to add the certificates from LetsEncrypt (both the root CA and the E6).

I have Ubuntu 22.04, and I moved the downloaded .pem files into /usr/local/share/ca-certificates with a .crt extension, and updated with sudo update-ca-certificates.

The result from the operation is successful (Ubuntu says that 2 certificates were added), but it is still not possible to connect.

My curl version is the latest possible on Ubuntu 22.04, curl 7.81.0.

1 Like
16

See above your last message, can you try this? (sometimes people miss messages when they come at same time).

17

Yeah, I saw the message! I was testing.

It succeeded!

julia> using Pkg

julia> using Downloads: Downloads, Curl, download

julia> Downloads.EASY_HOOK[] = (easy, info) -> begin
       Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYPEER, false)
       end
#1 (generic function with 1 method)

julia> Pkg.update()
    Updating registry at `~/.julia/registries/General.toml`
  No Changes to `~/.julia/environments/v1.11/Project.toml`
  No Changes to `~/.julia/environments/v1.11/Manifest.toml`
1 Like
18

No, it uses libcurl, which I believe ignores .curlrc

1 Like
19

Awesome. I prefer this solution as it is independent on the underlying system and it’s temporary (not like the .curlrc which didn’t work). So you can do your work in Julia until the underlying reasons are sorted out (e.g. by system admin people).

1 Like
20

The source of this is here: GitHub - JuliaLang/Downloads.jl but I had to found the CURLOPT_SSL_VERIFYPEER option in the source code.

1 Like