Problems installing packages - cert.pm no such file

I am trying to use the Genie web framework and I get the following error when I try to use it on my Arch Linux:

julia> using Genie
[ Info: Precompiling Genie [c43c736e-a2d1-11e8-161f-af95117fbd1e]
ERROR: LoadError: InitError: SystemError: opening file "/usr/share/julia/cert.pem": No such file or directory
Stacktrace:
 [1] open
   @ ./io.jl:328 [inlined]
 [2] read(filename::String, #unused#::Type{String})
   @ Base ./io.jl:436
 [3] __sslinit__()
   @ MbedTLS ~/.julia/packages/MbedTLS/qUI5E/src/ssl.jl:785
 [4] __init__()
   @ MbedTLS ~/.julia/packages/MbedTLS/qUI5E/src/MbedTLS.jl:55
 [5] top-level scope (repeats 2 times)
   @ none:1
during initialization of module MbedTLS
in expression starting at /home/jdarnold/.julia/packages/VersionCheck/IzZOn/src/VersionCheck.jl:1
ERROR: LoadError: Failed to precompile VersionCheck [a637dc6b-bca1-447e-a4fa-35264c9d0580] to /home/jdarnold/.julia/compiled/v1.7/VersionCheck/jl_TrpQIr.
Stacktrace:
 [1] include(x::String)
   @ Genie ~/.julia/packages/Genie/hbOGK/src/Genie.jl:4
 [2] top-level scope
   @ ~/.julia/packages/Genie/hbOGK/src/Genie.jl:12
 [3] top-level scope (repeats 2 times)
   @ none:1
in expression starting at /home/jdarnold/.julia/packages/Genie/hbOGK/src/Configuration.jl:1
in expression starting at /home/jdarnold/.julia/packages/Genie/hbOGK/src/Genie.jl:1
ERROR: Failed to precompile Genie [c43c736e-a2d1-11e8-161f-af95117fbd1e] to /home/jdarnold/.julia/compiled/v1.7/Genie/jl_QRz4ze.

Just to check I tried installing another package and got the same error. I’ve looked around but I don’t see the answer to fixing this.

How did you install Julia on Arch Linux?

1 Like

Probably the same issue as Precompile errors with `pkg> update` or `pkg> add` for some packages

Ok, my educated guess is that you installed the package from the official repositories, which is well known to have plenty of problems: Julia - ArchWiki. Evidence: the error message is pointing to
MbedTLS.jl/ssl.jl at 0c02e44ed96bf09ce3b9fb649db5914f629c2812 · JuliaLang/MbedTLS.jl · GitHub
and the variable MozillaCACerts_jll.cacert is apparently pointing to a non-existing file. You should direct your complaint to the maintainers of the Julia package in Arch Linux, who provide malfunctioning packages.

In the meantime I warmly recommend you to use the package aur:julia-bin which simply redistributes the official binaries.

9 Likes

Thanks, that sounds like it. Pretty sure it is the “official” package. I will use the AUR bin one.

Edited to add: Yup. Just installed julia-bin and using Genie works fine. Thanks again.

3 Likes

Is Julia trying to do its own crypto, by any chance? (a scary thought).

I have the same error (while trying to use HTTP package) with Julia 1.8.3 on Gentoo Linux, compiled from source.

If several different Linux packagers get this wrong, something might be fishy…

No?

Agreed, I guess none of them runs the tests, which would fail if the file is missing.

I see this error on Gentoo via a different package, MbedTLS (or HTTP).

As a matter of fact, Fedora packages MbedTLS as a dependence of Julia, and all works there.

Sure, because Fedora maintainer is @nalimilan who knows what to do.

But why does Julia even want to deal with CA certificates directly? Isn’t all what’s needed already in libcurl (to which it talks via LibCURL_jll, as far as I understand)?

Anyhow, if needed, curl provides functionality to deal with CA certs, e.g. curl - Extract CA Certs from Mozilla, curl - SSL CA Certificates

Julia is using MbedTLS and the version of LibCURL distributed with official Julia is linked against MbedTLS:

Above, the OP is using Genie.jl which loads MbedTLS.jl which wraps the native library in MbedTLS_jll. Usually that is as follows:

julia> using MbedTLS_jll

julia> MbedTLS_jll.libmbedtls_path
"/home/mkitti/src/julia-1.8.1/bin/../lib/julia/libmbedtls.so.14"

Whoever setup the package on Gentoo likely swapped out Julia’s vendored libmedtls for a Gentoo package. However, they likely did not tell Julia where to find the certificates. That can be set via an environment variable:

If you insist on using the Gentoo package, then you should file a bug report with the Gentoo packagers:

Still, having an explicit /usr/share/julia/cert.pem is a security issue. In case it is not a symbolic link to someplace managed by the OS, but a file, it will be vulnerable to problems with CA certificates such as the recent TrustCor story.

On my Fedora 34 system at work, /usr/share/julia/cert.pem is a symbolic link to a 210K-big bundle of CA certs. As far as I know, Gentoo does not even have such a bundle available - and there is no need for it, technically speaking, as it’s more efficient to keep each certificate in a separate file (it does have a bundle of CA certs in another format, in
/etc/ssl/certs/ca-certificates.crt)

this is correct. However, it is the case also on Fedora 34 (with working Julia).

Filed 888978 – dev-lang/julia needs /usr/share/julia/cert.pem to address this in Gentoo

Based on the above, I suppose a distribution could patch the following such that MozillaCACerts_jll.cacert points to the correct file.

Yes, that’s how that’s supposed to work. Julia (or rather some internal tools used by Julia, like curl) needs a reference to the certificates file, it can come from anywhere, in Gentoo it comes from nowhere, they could have run the tests to catch the missing file :person_shrugging: