Open remram44 opened 8 years ago
Thanks for the report. We have been undergoing some changes to try to get Google Chrome to stop reporting the Anaconda installer as potentially harmful. These changes may have something to do with your error.
Pinging @tpowellcio @ilanschnell
The downloading https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
using curl works fine for me.
All I can say is that neither curl
nor openssl s_client
will connect from Debian machines (tried several machines).
Does the download work, when you use http://
(instead of https://
) ?
Yes, it works. This looks to be an issue with your TLS configuration.
Thanks, Remi. We'll get our IT guys to investigate this as quickly as possible.
@remram44 can you clarify something for us? We are wondering if you are using Conda's openssl and curl packages. If so, we may be missing certificates for those packages. I have needed to provide those certs for git recently, but not for curl or openssl. I think we may need to put them in a more central place.
I am using my system's curl and openssl.
Interestingly, using your curl package (7.45.0-0, linux-64) I get:
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
apt-file doesn't report any package which contains this ca-bundle.crt
.
Thanks for the extra info. Regarding our curl package and certs, @ahmadia has some good insight here: https://github.com/conda/conda-recipes/issues/352#issuecomment-187265441
I don't think this looks quite like your issue with your system packages not allowing connections, though.
Sorry, @remram44, we are having a hard time reproducing your issue. Can you try again? Have you been able to reproduce on any other OS? If it is still present for you, can you try updating the certs on your systems? I don't know if they are too old and causing problems. I tried with a CentOS 5.11 VM, and it worked fine, so it shouldn't strictly be tied to age of OS, but rather to the actual certs.
You can use the debian Docker image for fast reproduction:
# docker run -ti --rm debian /bin/bash
# apt-get update && apt-get install curl
# curl -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
Or with Vagrant:
$ vagrant init debian/jessie64
$ vagrant up && vagrant ssh
$ curl -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
Or any installation of Debian stable really.
Yes, I can reproduce this with the docker container. It seems like this is a problem with the version of OpenSSL that Debian ships (1.0.1k). By installing our newer version (1.0.2f), things work OK, once I point curl at the right certs:
root@d505cff5f34b:/etc/ssl/certs# curl -v -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh --capath /etc/ssl/certs --cacert /etc/ssl/certs/cacert.pem
* Trying 174.129.25.1...
* Connected to repo.continuum.io (174.129.25.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/cacert.pem
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Texas; L=Austin; O=Continuum Analytics Inc; OU=Information Technology; CN=repo.continuum.io
* start date: Mar 4 00:00:00 2015 GMT
* expire date: Mar 3 23:59:59 2018 GMT
* subjectAltName: repo.continuum.io matched
* issuer: C=US; O=thawte, Inc.; CN=thawte SSL CA - G2
* SSL certificate verify ok.
> HEAD /miniconda/Miniconda-latest-Linux-x86.sh HTTP/1.1
> Host: repo.continuum.io
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 24147131
Content-Length: 24147131
< Content-Type: application/octet-stream
Content-Type: application/octet-stream
< Date: Mon, 22 Feb 2016 19:25:46 GMT
Date: Mon, 22 Feb 2016 19:25:46 GMT
< ETag: "56731880-17074bb"
ETag: "56731880-17074bb"
< Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
< Server: nginx/1.8.0
Server: nginx/1.8.0
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host repo.continuum.io left intact
root@d505cff5f34b:/etc/ssl/certs# curl -v -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh --capath /etc/ssl/certs --cacert /etc/ssl/certs/cacert.pem
* Trying 23.21.205.0...
* Connected to repo.continuum.io (23.21.205.0) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/cacert.pem
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Texas; L=Austin; O=Continuum Analytics Inc; OU=Information Technology; CN=repo.continuum.io
* start date: Mar 4 00:00:00 2015 GMT
* expire date: Mar 3 23:59:59 2018 GMT
* subjectAltName: repo.continuum.io matched
* issuer: C=US; O=thawte, Inc.; CN=thawte SSL CA - G2
* SSL certificate verify ok.
> HEAD /miniconda/Miniconda-latest-Linux-x86.sh HTTP/1.1
> Host: repo.continuum.io
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 24147131
Content-Length: 24147131
< Content-Type: application/octet-stream
Content-Type: application/octet-stream
< Date: Mon, 22 Feb 2016 19:25:53 GMT
Date: Mon, 22 Feb 2016 19:25:53 GMT
< ETag: "56731880-17074bb"
ETag: "56731880-17074bb"
< Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
< Server: nginx/1.6.2
Server: nginx/1.6.2
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host repo.continuum.io left intact
I believe this issue is upstream. I'd like to close this issue, if it's OK with you - and propose that you explore ways to obtain newer OpenSSL libraries. My workflow was to download Miniconda without HTTPS, then install openssl and curl with that installation.
The certificate is definitely available on Debian:
$ openssl x509 -noout -hash -in /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
2e4eed3c
$ openssl x509 -noout -hash -in /etc/ssl/certs/thawte_Primary_Root_CA.pem
2e4eed3c
Not sure what's up. Definitely should be reported upstream...
Looks like it's an open issue on upstream Debian with Thawte certificates, I'd suggest tracking the issue there.
Yeah agree this is a Debian Jessie 8.2 to 8.3 regression.
This now fails on Ubuntu as well, definitely breaking everyone's CI around the world. Can you consider some kind of workaround? Is it even possible?
$ docker run -ti --rm ubuntu /bin/bash
# curl -I https://repo.continuum.io/miniconda/Miniconda-3.10.1-Linux-x86_64.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
(curl is 7.35.0-1ubuntu2.6, ca-certificates 20160104ubuntu0.14.04.1; ubuntu is ubuntu:trusty)
@remram44 - what is the output of: openssl s_client -connect repo.continuum.io:443
on that node?
Here's what I see locally. I wonder if Continuum is not serving a complete certificate chain from repo.continuum.io and if this is the cause of the problems:
zsh 20623 % openssl s_client -connect repo.continuum.io:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", CN = thawte SSL CA - G2
verify return:1
depth=0 C = US, ST = Texas, L = Austin, O = Continuum Analytics Inc, OU = Information Technology, CN = repo.continuum.io
verify return:1
@ahmadia We serve all 3 certificates in the chain, even though we aren't required to serve the last one.
$ openssl s_client -showcerts -connect repo.continuum.io:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", CN = thawte SSL CA - G2
verify return:1
depth=0 C = US, ST = Texas, L = Austin, O = Continuum Analytics Inc, OU = Information Technology, CN = repo.continuum.io
verify return:1
---
Certificate chain
0 s:/C=US/ST=Texas/L=Austin/O=Continuum Analytics Inc/OU=Information Technology/CN=repo.continuum.io
i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
-----BEGIN CERTIFICATE-----
MIIE0jCCA7qgAwIBAgIQUhw2prUMk5S/XzPeNDkBhjANBgkqhkiG9w0BAQsFADBB
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwMzA0MDAwMDAwWhcNMTgwMzAzMjM1OTU5
WjCBjTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHFAZBdXN0
aW4xIDAeBgNVBAoUF0NvbnRpbnV1bSBBbmFseXRpY3MgSW5jMR8wHQYDVQQLFBZJ
bmZvcm1hdGlvbiBUZWNobm9sb2d5MRowGAYDVQQDFBFyZXBvLmNvbnRpbnV1bS5p
bzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdbWADchs12kIrNd2nc
iC2gE/PGfRjpoZMUD/gd8pN6Bd8fH0CxGbImzeGt+Z6yA1XoLwsn/wV8SnKCzoum
3gXgiNq4sz74R6r+8l/3EHhgQQ70vQm4fGYrD4qu1t27zT93DYEWTX7zqcNHD09T
jieT4pe8kcy532wwNk9FpYNehj82fqIWTw7wv5gq3cGdzQMRFe436zX2b7SONwF+
1mtUpndPSLjrEHNE3P7L3uXwi/NsKD+3/809hqPbbXQkbWqn4x0uJSkCAWI0+ZTC
5buwfKBAqE1+wtD3er6Gs+ETgsqvS0Zz5OkfiAZrF6dLkINsBt5/e+djkzWVfGRa
a7UCAwEAAaOCAXcwggFzMBwGA1UdEQQVMBOCEXJlcG8uY29udGludXVtLmlvMAkG
A1UdEwQCMAAwcgYDVR0gBGswaTBnBgpghkgBhvhFAQc2MFkwJgYIKwYBBQUHAgEW
Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBz
Oi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHwYD
VR0jBBgwFoAUwk9IV/zRT5rAXTh9DgXb2S61UmAwKwYDVR0fBCQwIjAgoB6gHIYa
aHR0cDovL3RqLnN5bWNiLmNvbS90ai5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Rq
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RqLnN5bWNiLmNvbS90ai5j
cnQwDQYJKoZIhvcNAQELBQADggEBAHu9oheelxtJ8aYuF5/TI741Gf8bAJbVev1p
rP/0dHfyod/tS/VmT5b1uKLHw0lgXQmzMasBNm3e7Bzddk/FcGmR/wl4H77fyxXa
9lukjnf8w9VXcbDMZ6ILzZqgCvuPHtPEwraGMvE3rAZuGOs1+mZ5Gka/1CxdjeQR
PG8+PtCgYnU0dny37v/eIvyU+kYatQRIPtNI25dT24L1Je+NVfHIeXYsY6IOdpNb
FkYY9c7t0UlyIZreIM2w0zRPAdyajPZ7ojapkeOvWXi7Snt2/REvI7N428FKIJOv
juSyQA6T/1UPjlOn+ReisDog8NZiEjMtRbk5xWGFTisx43UHWkM=
-----END CERTIFICATE-----
1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-----BEGIN CERTIFICATE-----
MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMDMxMDAwMDAwWhcNMjMx
MDMwMjM1OTU5WjBBMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu
MRswGQYDVQQDExJ0aGF3dGUgU1NMIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCy/Ab7BJPS6lkgO0SFl1I55xDweuCwlEDaRvgMKLu5zmA4
P9LYEUIbka1J7o/H3mzeN2/9iyA8bed009zVJIhBgInuNr7E1b6NUxOq5KW4kwq+
7NrNPNQyVu/QTqC4l7s5UB5uZcP9ss7gWalICcb+vq78PjuBIJeLj0bfYGQHdbsb
hjifR3s0zqHRl6122J+3Jtt5gDZI8sU3+NkyrnykU4HHmaFUOC9PdaC7WqW7zawC
WxkC1RMYp86sdFUSBYubopVGZHI4zVobOhanvnGZjFQDuJZsAdM+Bpg/IYE7An4A
R1MBHg5GQ/tLLdwLGugvmPh+0ZmrE2ykF95v9hX1AgMBAAGjggE7MIIBNzASBgNV
HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAyBgNVHR8EKzApMCegJaAj
hiFodHRwOi8vdDEuc3ltY2IuY29tL1RoYXd0ZVBDQS5jcmwwLwYIKwYBBQUHAQEE
IzAhMB8GCCsGAQUFBzABhhNodHRwOi8vdDIuc3ltY2IuY29tMEEGA1UdIAQ6MDgw
NgYKYIZIAYb4RQEHNjAoMCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUu
Y29tL2NwczApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0ktMS01
MzcwHQYDVR0OBBYEFMJPSFf80U+awF04fQ4F29kutVJgMB8GA1UdIwQYMBaAFHtb
Rc+vzst6/TGSGmq280brV0hQMA0GCSqGSIb3DQEBCwUAA4IBAQCNBt5DyXYCytkj
l17zY9d9RMIPawr1B+WLuPrgo/prgJK1AyzFN+DC5ZW1knAYKEKU7kt3agEPiyPs
Vk30AGnlhMji6t5bPvY8BzqUymwnscyDGmBxJ9K/AvUeRNNI1abTdiEAnPqYZOsX
Nj/rGzw+prHZWAYOctlovvGnINdS5KR3H3FwnVU1hTfhHU2UwnB/lUBuS32ytCkq
A3nIuUxnYQSgiyf/WQDrVX/GtzM1LV5OrLjqEsXo97mrvnSSLLfZTcqELxzC8HJ8
sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq
YBLqJop4
-----END CERTIFICATE-----
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
-----BEGIN CERTIFICATE-----
MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow
gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT
H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy
MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC
d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN
vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68
0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV
L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u
KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB
/wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz
Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU
e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny
bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN
AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe
Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq
95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Texas/L=Austin/O=Continuum Analytics Inc/OU=Information Technology/CN=repo.continuum.io
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4201 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 2F80B9B516A019A4876BA9BE7790ECDD4C4BD2DC67166D507C11E017E5546F18
Session-ID-ctx:
Master-Key: 633D4DADBD237B743E8C4CC7EE9CB64EB3DA9249B0DCED03DE74D9362240D929412C84A47BB52DE73A54492EA35C685D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 4e 27 e6 31 e4 1d 54 33-de 94 18 1f 46 d7 cf bd N'.1..T3....F...
0010 - be 30 9b fa 7d 8d 85 e1-8e a8 e6 4c c0 3a 22 a5 .0..}......L.:".
0020 - b5 6e 03 31 25 12 ba 60-4b 8c 4d 25 59 ed 9c b0 .n.1%..`K.M%Y...
0030 - 26 46 17 f1 f1 5c 98 b2-72 6c 79 e7 1c 99 36 9d &F...\..rly...6.
0040 - cf 60 e0 86 d4 75 2a e4-be b1 c8 fe a4 6c 98 b0 .`...u*......l..
0050 - 5e dc 99 ce 67 be 07 1b-a3 76 fe b7 da c8 20 fb ^...g....v.... .
0060 - 3b 7e fc e8 68 e9 38 a0-ee 8d 94 50 79 ca 7d 52 ;~..h.8....Py.}R
0070 - fd 81 88 91 97 ac 8d df-b2 b0 86 a5 92 22 47 74 ............."Gt
0080 - 88 5a 0a e3 e9 42 a6 0c-5c 13 02 3d 64 8d 4d af .Z...B..\..=d.M.
0090 - 9e a9 90 3e f9 3f ef 9f-2a fe ff 36 9c 7e 00 f4 ...>.?..*..6.~..
Start Time: 1456446048
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Reopening until we have a workaround.
One workaround is using curl --insecure
to download it
Thanks for pointing towards a workaround.
Can you please advise how to apply this workaround when using the
conda
command line utility to install packages? A simple conda install PACKAGENAME
is indeed affected by this issue; using curl
doesn't help in that case.
Any updates on this? The issue was closed as invalid on the Ubuntu tracker AFAICT.
On Ubuntu 14.04 (libssl now 1.0.1f-1ubuntu2.18), curl is fixed, but openssl s_client still isn't (that was security issue USN-2913-3).
Debian is reacting hopelessly slowly to all this.
Ran into this for the first time last night. Using latest ubuntu:14.04 docker image with openssl 1.0.1f-1ubuntu2.18. User error?
root@14368037501a:/# dpkg -s openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 907
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 1.0.1f-1ubuntu2.18
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1)
Suggests: ca-certificates
Conffiles:
/etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3
Description: Secure Sockets Layer toolkit - cryptographic utility
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the
Internet.
.
It contains the general-purpose command line binary /usr/bin/openssl,
useful for cryptographic operations such as:
* creating RSA, DH, and DSA key parameters;
* creating X.509 certificates, CSRs, and CRLs;
* calculating message digests;
* encrypting and decrypting with ciphers;
* testing SSL/TLS clients and servers;
* handling S/MIME signed or encrypted mail.
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
root@14368037501a:/# curl --capath /usr/lib/ssl/certs https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root@14368037501a:/# wget --ca-directory=/usr/lib/ssl/certs https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
--2016-03-31 14:13:06-- https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
Resolving repo.continuum.io (repo.continuum.io)... 107.20.210.103, 54.243.153.81, 54.197.250.243
Connecting to repo.continuum.io (repo.continuum.io)|107.20.210.103|:443... connected.
ERROR: cannot verify repo.continuum.io's certificate, issued by ‘/C=US/O=thawte, Inc./CN=thawte SSL CA - G2’:
Unable to locally verify the issuer's authority.
To connect to repo.continuum.io insecurely, use `--no-check-certificate'.
@jseabold does curl work without --capath
?
No
root@7cc2a144eac0:/# curl -LO https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Hi, maybe this helps as a work-around fix for you too:
https://github.com/4commerce-technologies-AG/meteor/issues/37#issuecomment-184310053
We were hit by the same error and clearly any way to avoid SSL verification would be a huge security issue which should be avoided even if that's only for testing purpose.
Ran into a similar problem building debian:jessie based docker images that use conda, after our organization started using an SSL proxy. Here are the steps I took to use conda with our organization's custom ssl certificate.
apt-get install -y ca-certificates
/usr/local/share/ca-certificates/
, then run update-ca-certificates to add to OS bundle. Note the .crt
extension which is required, I used PEM format within the file)mkdir -p /usr/local/share/ca-certificates
cp organization_certificate.crt /usr/local/share/ca-certificates/.
update-ca-certificates
conda config --set ssl_verify /etc/ssl/certs/ca-certificates.crt
Chrome lets me connect, but informs me that your server is broken:
curl won't download your installer: