Downloading from github behind a firewall - Peer’s Certificate issuer is not recognized

I am behind a corporate firewall but am authenticated to access the internet. I can access any site using curl . But I keep running into this error in Julia when installing packages:

│ [18:12:51] curl: (60) Peer’s Certificate issuer is not recognized.

The problem seems to be downloading from github. Does Julia ship with its own git and SSL certificates for it? I am using v1 .2.

Thanks!

1 Like

Yea this is a common problem.

One option is to change your environ variables:

ENV["HTTP_PROXY"] = ...
ENV["HTTPS_PROXY"] = ...

Sometimes that helps.

Another is to change where the pkg manager points. JuliaLang hosts an alternate location I forget the URL now but if that doesn’t work let us know and I’ll try to dig it up.

what I don’t understand is why your cooperation would firewall github; can you access https://github.com in browser?

Thanks. Yes I do have the proxy set as follows:

export https_proxy=http://myproxy…
export http_proxy=$https_proxy

I can curl or wget any site. The issue seems Julia calls git which does not seem to see these proxy variables or something. Or it is not seeing or using the correct SSL certificates . We have the corporate SSL certificates installed in:

/etc/pki/ca-trust/source/anchors

Not sure how to debug if it is proxy issue or SSL certificate issue?

So when I was debugging this I found Julia calls LibGit2 via LibGit.jl(I think) and not Git directly. This complicates things a little more. Also, can I ask which OS you are using? Curl can also have unexpected behaviour behind corporate … situaitons.

you could try setting the proxy in libgit: https://docs.julialang.org/en/v1/stdlib/LibGit2/#LibGit2.ProxyOptions

You should be able to change where Julia get’s it’s packages too: ie they have different pkg servers here’s one which directs to your nearest available server: https://pkg.julialang.org/. trying to dig up the command to set so Pkg.jl uses it.

In the absolute worst case you can set up a pkg server locally with something like: https://github.com/JuliaPackaging/PkgServer.jl
or using JuliaTeams! The JuliaTeams team is really nice and helpful.

Or the end of the road. Offer many great gifts to your sysadmin and promise them Julia is not malicious.

There is some issue in certain libgit2 versions with trailing slashes in the proxy variables.
Maybe this can help you.

1 Like

Just an update I got it working. Apparently I had to add this environment variable:

export SSL_CERT_FILE=~myusername/.ssh/corporate.pem

I am not sure why Julia can not see the same certificate I already placed in:

/etc/pki/ca-trust/source/anchors

Curl is able to access all websites without me having to export this SSL_CERT_FILE variable.

1 Like

Haha, I am actually the sysadmin! Trying to help a user with Julia…

4 Likes

oh well your corporate environment is way more sane then my own! We have a predominately windows stack, very complicated network, and that complicates cert’s to a huge extent.

Glad you got it working!

So I spoke too soon and the “certificate error” has resurfaced again. I can install packages like CSV without any issue. But if I try to install Plots, I run into this:

│ ERROR: LoadError: LoadError: Could not download https://github.com/JuliaBinaryWrappers/Bzip2_jll.jl/releases/download/Bzip2-v1.0.6+1/Bzip2.v1/Bzip2.v1.0.6.x86_64-linux-gnu.tar.gz

│ [11:41:39] curl: (60) Peer’s Certificate issuer is not recognized.

From the command line I have no issue wget’ing the tar ball in question.

I wonder if Julia is launching some new shell that does not see all my proxy related environment variables?

I upgraded to v1.4.2 . Still get same error but a little different:

julia> Pkg.add(“Plots”)
Updating registry at ~/.julia/registries/General
Updating git-repo https://github.com/JuliaRegistries/General.git
┌ Warning: Some registries failed to update:
│ — /Apps/users/hussaif1/.julia/registries/General — failed to fetch from repo
└ @ Pkg.Types /buildworker/worker/package_linux64/build/usr/share/julia/stdlib/v1.4/Pkg/src/Types.jl:1131
Resolving package versions…
Installed LibVPX_jll ───── v1.8.1+1
Installed FFMPEG_jll ───── v4.1.0+3
Installed FreeType2_jll ── v2.10.1+2
Installed Adapt ────────── v2.0.2
Installed StructArrays ─── v0.4.4
Installed FFMPEG ───────── v0.3.0
Installed IterTools ────── v1.3.0
Installed Plots ────────── v1.5.4
Installed OpenSSL_jll ──── v1.1.1+4
Installed Bzip2_jll ────── v1.0.6+2
Installed x264_jll ─────── v2019.5.25+2
Installed FriBidi_jll ──── v1.0.5+3
Installed x265_jll ─────── v3.0.0+1
Installed Opus_jll ─────── v1.3.1+1
Installed MbedTLS ──────── v1.0.2
Installed GeometryBasics ─ v0.2.15
Installed MbedTLS_jll ──── v2.16.6+1
Installed LAME_jll ─────── v3.100.0+1
Installed libfdk_aac_jll ─ v0.1.6+2
Installed libvorbis_jll ── v1.3.6+4
Installed libass_jll ───── v0.14.0+2
Installed Zlib_jll ─────── v1.2.11+14
Installed Ogg_jll ──────── v1.3.4+0
Downloading artifact: LibVPX
######################################################################## 100.0%
curl: (60) Peer’s Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
ERROR: Unable to automatically install ‘LibVPX’ from ‘/Apps/users/hussaif1/.julia/packages/LibVPX_jll/os8kH/Artifacts.toml’

Seems I have resolved it by simply exporting this environment variable:

export JULIA_PKG_SERVER=pkg.julialang.org