Problems installing packages - cert.pm no such file

jdarnold · July 9, 2022, 5:47pm

I am trying to use the Genie web framework and I get the following error when I try to use it on my Arch Linux:

julia> using Genie
[ Info: Precompiling Genie [c43c736e-a2d1-11e8-161f-af95117fbd1e]
ERROR: LoadError: InitError: SystemError: opening file "/usr/share/julia/cert.pem": No such file or directory
Stacktrace:
 [1] open
   @ ./io.jl:328 [inlined]
 [2] read(filename::String, #unused#::Type{String})
   @ Base ./io.jl:436
 [3] __sslinit__()
   @ MbedTLS ~/.julia/packages/MbedTLS/qUI5E/src/ssl.jl:785
 [4] __init__()
   @ MbedTLS ~/.julia/packages/MbedTLS/qUI5E/src/MbedTLS.jl:55
 [5] top-level scope (repeats 2 times)
   @ none:1
during initialization of module MbedTLS
in expression starting at /home/jdarnold/.julia/packages/VersionCheck/IzZOn/src/VersionCheck.jl:1
ERROR: LoadError: Failed to precompile VersionCheck [a637dc6b-bca1-447e-a4fa-35264c9d0580] to /home/jdarnold/.julia/compiled/v1.7/VersionCheck/jl_TrpQIr.
Stacktrace:
 [1] include(x::String)
   @ Genie ~/.julia/packages/Genie/hbOGK/src/Genie.jl:4
 [2] top-level scope
   @ ~/.julia/packages/Genie/hbOGK/src/Genie.jl:12
 [3] top-level scope (repeats 2 times)
   @ none:1
in expression starting at /home/jdarnold/.julia/packages/Genie/hbOGK/src/Configuration.jl:1
in expression starting at /home/jdarnold/.julia/packages/Genie/hbOGK/src/Genie.jl:1
ERROR: Failed to precompile Genie [c43c736e-a2d1-11e8-161f-af95117fbd1e] to /home/jdarnold/.julia/compiled/v1.7/Genie/jl_QRz4ze.

Just to check I tried installing another package and got the same error. I’ve looked around but I don’t see the answer to fixing this.

giordano · July 9, 2022, 6:30pm

How did you install Julia on Arch Linux?

fredrikekre · July 9, 2022, 6:48pm

Probably the same issue as Precompile errors with `pkg> update` or `pkg> add` for some packages

giordano · July 9, 2022, 6:53pm

Ok, my educated guess is that you installed the package from the official repositories, which is well known to have plenty of problems: Julia - ArchWiki. Evidence: the error message is pointing to
MbedTLS.jl/ssl.jl at 0c02e44ed96bf09ce3b9fb649db5914f629c2812 · JuliaLang/MbedTLS.jl · GitHub
and the variable MozillaCACerts_jll.cacert is apparently pointing to a non-existing file. You should direct your complaint to the maintainers of the Julia package in Arch Linux, who provide malfunctioning packages.

In the meantime I warmly recommend you to use the package aur:julia-bin which simply redistributes the official binaries.

jdarnold · July 9, 2022, 8:17pm

Thanks, that sounds like it. Pretty sure it is the “official” package. I will use the AUR bin one.

Edited to add: Yup. Just installed julia-bin and using Genie works fine. Thanks again.

dimpase · December 28, 2022, 10:16am

Is Julia trying to do its own crypto, by any chance? (a scary thought).

I have the same error (while trying to use HTTP package) with Julia 1.8.3 on Gentoo Linux, compiled from source.

If several different Linux packagers get this wrong, something might be fishy…

giordano · December 28, 2022, 1:35pm

No?

Agreed, I guess none of them runs the tests, which would fail if the file is missing.

dimpase · December 28, 2022, 3:33pm

I see this error on Gentoo via a different package, MbedTLS (or HTTP).

As a matter of fact, Fedora packages MbedTLS as a dependence of Julia, and all works there.

giordano · December 28, 2022, 3:35pm

Sure, because Fedora maintainer is @nalimilan who knows what to do.

dimpase · December 29, 2022, 11:51pm

But why does Julia even want to deal with CA certificates directly? Isn’t all what’s needed already in libcurl (to which it talks via LibCURL_jll, as far as I understand)?

Anyhow, if needed, curl provides functionality to deal with CA certs, e.g. curl - Extract CA Certs from Mozilla, curl - SSL CA Certificates

mkitti · December 30, 2022, 12:23am

Julia is using MbedTLS and the version of LibCURL distributed with official Julia is linked against MbedTLS:

github.com

JuliaPackaging/Yggdrasil/blob/3573c32ce13a40902477be7993fa0bf8fe377f35/L/LibCURL/common.jl#L65


      
              # On Darwin, we need to use SecureTransport (native TLS library)
              FLAGS+=(--with-secure-transport)
          
              # We need to explicitly request a higher `-mmacosx-version-min` here, so that it doesn't
              # complain about: `Symbol not found: ___isOSVersionAtLeast`
              if [[ "${target}" == *x86_64* ]]; then
                  export CFLAGS=-mmacosx-version-min=10.11
              fi
          else
              # On all other systems, we use MbedTLS
              FLAGS+=(--with-mbedtls=${prefix})
          fi
          
          if false; then
              # Use gssapi on Linux and FreeBSD
              FLAGS+=(--with-gssapi=${prefix})
              if [[ "${target}" == *-freebsd* ]]; then
                  # Only for FreeBSD we need to hint that we need to link to libkrb5 and
                  # libcom_err to resolve some undefined symbols.
                  export LIBS="-lkrb5 -lcom_err"
              fi

Above, the OP is using Genie.jl which loads MbedTLS.jl which wraps the native library in MbedTLS_jll. Usually that is as follows:

julia> using MbedTLS_jll

julia> MbedTLS_jll.libmbedtls_path
"/home/mkitti/src/julia-1.8.1/bin/../lib/julia/libmbedtls.so.14"

Whoever setup the package on Gentoo likely swapped out Julia’s vendored libmedtls for a Gentoo package. However, they likely did not tell Julia where to find the certificates. That can be set via an environment variable:

github.com

JuliaLang/MbedTLS.jl/blob/da061d0dbe51f84677e6c1aec9f115326d32201a/src/ssl.jl#L778-L796


      
          function __sslinit__()
              c_send[] = @cfunction(f_send, Cint, (Ptr{Cvoid}, Ptr{UInt8}, Csize_t))
              c_recv[] = @cfunction(f_recv, Cint, (Ptr{Cvoid}, Ptr{UInt8}, Csize_t))
              c_dbg[] = @cfunction(f_dbg, Cvoid, (Any, Cint, Ptr{UInt8}, Cint, Ptr{UInt8}))
              # Note: `MozillaCACerts_jll.cacert` is filled by `__init__`
              if haskey(ENV, "MBEDTLSJL_CERT_PEM_FILE")
                  fallback = abspath(ENV["MBEDTLSJL_CERT_PEM_FILE"])
                  DEFAULT_CERT[] = read(fallback, String)
              elseif haskey(ENV, "MBEDTLSJL_CERT_PEM_DIR")
                  fallback = abspath(joinpath(ENV["MBEDTLSJL_CERT_PEM_DIR"], "cert.pem"))
                  DEFAULT_CERT[] = read(fallback, String)
              elseif isfile(MozillaCACerts_jll.cacert)
                  DEFAULT_CERT[] = read(MozillaCACerts_jll.cacert, String)
              else
                  fallback = abspath(joinpath(Sys.BINDIR, "..", "share", "julia", "cert.pem"))
                  DEFAULT_CERT[] = read(fallback, String)
              end
              return
          end

If you insist on using the Gentoo package, then you should file a bug report with the Gentoo packagers:

dimpase · December 30, 2022, 11:29am

Still, having an explicit /usr/share/julia/cert.pem is a security issue. In case it is not a symbolic link to someplace managed by the OS, but a file, it will be vulnerable to problems with CA certificates such as the recent TrustCor story.

On my Fedora 34 system at work, /usr/share/julia/cert.pem is a symbolic link to a 210K-big bundle of CA certs. As far as I know, Gentoo does not even have such a bundle available - and there is no need for it, technically speaking, as it’s more efficient to keep each certificate in a separate file (it does have a bundle of CA certs in another format, in
/etc/ssl/certs/ca-certificates.crt)

dimpase · December 30, 2022, 11:52am

this is correct. However, it is the case also on Fedora 34 (with working Julia).

dimpase · December 30, 2022, 12:25pm

Filed 888978 – dev-lang/julia needs /usr/share/julia/cert.pem to address this in Gentoo

mkitti · December 30, 2022, 12:55pm

Based on the above, I suppose a distribution could patch the following such that MozillaCACerts_jll.cacert points to the correct file.

github.com

JuliaLang/julia/blob/a8adb3938bb82bd686066aff38dcecbd31288547/stdlib/MozillaCACerts_jll/src/MozillaCACerts_jll.jl#L20


      
          const LIBPATH_list = String[]
          
          
# These get calculated in __init__()
          const PATH = Ref("")
          const LIBPATH = Ref("")
          global artifact_dir::String = ""
          global cacert::String = ""
          
          
function __init__()
              global artifact_dir = dirname(Sys.BINDIR)
              global cacert = normpath(Sys.BINDIR, Base.DATAROOTDIR, "julia", "cert.pem")
          end
          
          
# JLLWrappers API compatibility shims.  Note that not all of these will really make sense.
          # For instance, `find_artifact_dir()` won't actually be the artifact directory, because
          # there isn't one.  It instead returns the overall Julia prefix.
          is_available() = true
          find_artifact_dir() = artifact_dir
          dev_jll() = error("stdlib JLLs cannot be dev'ed")
          best_wrapper = nothing

giordano · December 30, 2022, 2:48pm

Yes, that’s how that’s supposed to work. Julia (or rather some internal tools used by Julia, like curl) needs a reference to the certificates file, it can come from anywhere, in Gentoo it comes from nowhere, they could have run the tests to catch the missing file