Can't install Anaconda because of invalid certificate

[remram44]

Chrome lets me connect, but informs me that your server is broken:

curl won't download your installer:

$ curl -LO https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate

[msarahan]

Thanks for the report. We have been undergoing some changes to try to get Google Chrome to stop reporting the Anaconda installer as potentially harmful. These changes may have something to do with your error.

Pinging @tpowellcio @ilanschnell

[ilanschnell]

The downloading https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh using curl works fine for me.

[remram44]

All I can say is that neither curl nor openssl s_client will connect from Debian machines (tried several machines).

[ilanschnell]

Does the download work, when you use http:// (instead of https://) ?

[remram44]

Yes, it works. This looks to be an issue with your TLS configuration.

[msarahan]

Thanks, Remi. We'll get our IT guys to investigate this as quickly as possible.

[msarahan]

@remram44 can you clarify something for us? We are wondering if you are using Conda's openssl and curl packages. If so, we may be missing certificates for those packages. I have needed to provide those certs for git recently, but not for curl or openssl. I think we may need to put them in a more central place.

[remram44]

I am using my system's curl and openssl.

Interestingly, using your curl package (7.45.0-0, linux-64) I get:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

apt-file doesn't report any package which contains this ca-bundle.crt.

[msarahan]

Thanks for the extra info. Regarding our curl package and certs, @ahmadia has some good insight here: https://github.com/conda/conda-recipes/issues/352#issuecomment-187265441

I don't think this looks quite like your issue with your system packages not allowing connections, though.

[msarahan]

Sorry, @remram44, we are having a hard time reproducing your issue. Can you try again? Have you been able to reproduce on any other OS? If it is still present for you, can you try updating the certs on your systems? I don't know if they are too old and causing problems. I tried with a CentOS 5.11 VM, and it worked fine, so it shouldn't strictly be tied to age of OS, but rather to the actual certs.

[remram44]

You can use the debian Docker image for fast reproduction:

# docker run -ti --rm debian /bin/bash
# apt-get update && apt-get install curl
# curl -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate

Or with Vagrant:

$ vagrant init debian/jessie64
$ vagrant up && vagrant ssh
$ curl -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

Or any installation of Debian stable really.

[msarahan]

Yes, I can reproduce this with the docker container. It seems like this is a problem with the version of OpenSSL that Debian ships (1.0.1k). By installing our newer version (1.0.2f), things work OK, once I point curl at the right certs:

root@d505cff5f34b:/etc/ssl/certs# curl -v -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh --capath /etc/ssl/certs --cacert /etc/ssl/certs/cacert.pem
*   Trying 174.129.25.1...
* Connected to repo.continuum.io (174.129.25.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/cacert.pem
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*    subject: C=US; ST=Texas; L=Austin; O=Continuum Analytics Inc; OU=Information Technology; CN=repo.continuum.io
*    start date: Mar  4 00:00:00 2015 GMT
*    expire date: Mar  3 23:59:59 2018 GMT
*    subjectAltName: repo.continuum.io matched
*    issuer: C=US; O=thawte, Inc.; CN=thawte SSL CA - G2
*    SSL certificate verify ok.
> HEAD /miniconda/Miniconda-latest-Linux-x86.sh HTTP/1.1
> Host: repo.continuum.io
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 24147131
Content-Length: 24147131
< Content-Type: application/octet-stream
Content-Type: application/octet-stream
< Date: Mon, 22 Feb 2016 19:25:46 GMT
Date: Mon, 22 Feb 2016 19:25:46 GMT
< ETag: "56731880-17074bb"
ETag: "56731880-17074bb"
< Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
< Server: nginx/1.8.0
Server: nginx/1.8.0
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host repo.continuum.io left intact
root@d505cff5f34b:/etc/ssl/certs# curl -v -I https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh --capath /etc/ssl/certs --cacert /etc/ssl/certs/cacert.pem
*   Trying 23.21.205.0...
* Connected to repo.continuum.io (23.21.205.0) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/cacert.pem
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*    subject: C=US; ST=Texas; L=Austin; O=Continuum Analytics Inc; OU=Information Technology; CN=repo.continuum.io
*    start date: Mar  4 00:00:00 2015 GMT
*    expire date: Mar  3 23:59:59 2018 GMT
*    subjectAltName: repo.continuum.io matched
*    issuer: C=US; O=thawte, Inc.; CN=thawte SSL CA - G2
*    SSL certificate verify ok.
> HEAD /miniconda/Miniconda-latest-Linux-x86.sh HTTP/1.1
> Host: repo.continuum.io
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 24147131
Content-Length: 24147131
< Content-Type: application/octet-stream
Content-Type: application/octet-stream
< Date: Mon, 22 Feb 2016 19:25:53 GMT
Date: Mon, 22 Feb 2016 19:25:53 GMT
< ETag: "56731880-17074bb"
ETag: "56731880-17074bb"
< Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
Last-Modified: Thu, 17 Dec 2015 20:18:08 GMT
< Server: nginx/1.6.2
Server: nginx/1.6.2
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host repo.continuum.io left intact

I believe this issue is upstream. I'd like to close this issue, if it's OK with you - and propose that you explore ways to obtain newer OpenSSL libraries. My workflow was to download Miniconda without HTTPS, then install openssl and curl with that installation.

[remram44]

The certificate is definitely available on Debian:

$ openssl x509 -noout -hash -in /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
2e4eed3c
$ openssl x509 -noout -hash -in /etc/ssl/certs/thawte_Primary_Root_CA.pem
2e4eed3c

Not sure what's up. Definitely should be reported upstream...

[ahmadia]

Looks like it's an open issue on upstream Debian with Thawte certificates, I'd suggest tracking the issue there.

[kalefranz]

Yeah agree this is a Debian Jessie 8.2 to 8.3 regression.

[remram44]

This now fails on Ubuntu as well, definitely breaking everyone's CI around the world. Can you consider some kind of workaround? Is it even possible?

$ docker run -ti --rm ubuntu /bin/bash
# curl -I https://repo.continuum.io/miniconda/Miniconda-3.10.1-Linux-x86_64.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

(curl is 7.35.0-1ubuntu2.6, ca-certificates 20160104ubuntu0.14.04.1; ubuntu is ubuntu:trusty)

[ahmadia]

@remram44 - what is the output of: openssl s_client -connect repo.continuum.io:443 on that node?

Here's what I see locally. I wonder if Continuum is not serving a complete certificate chain from repo.continuum.io and if this is the cause of the problems:

zsh 20623 % openssl s_client -connect repo.continuum.io:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", CN = thawte SSL CA - G2
verify return:1
depth=0 C = US, ST = Texas, L = Austin, O = Continuum Analytics Inc, OU = Information Technology, CN = repo.continuum.io
verify return:1

[remram44]

Here is the full output

[lilmatt]

@ahmadia We serve all 3 certificates in the chain, even though we aren't required to serve the last one.

    $ openssl s_client -showcerts -connect repo.continuum.io:443
    CONNECTED(00000003)
    depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
    verify return:1
    depth=1 C = US, O = "thawte, Inc.", CN = thawte SSL CA - G2
    verify return:1
    depth=0 C = US, ST = Texas, L = Austin, O = Continuum Analytics Inc, OU = Information Technology, CN = repo.continuum.io
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Texas/L=Austin/O=Continuum Analytics Inc/OU=Information Technology/CN=repo.continuum.io
       i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
    -----BEGIN CERTIFICATE-----
    MIIE0jCCA7qgAwIBAgIQUhw2prUMk5S/XzPeNDkBhjANBgkqhkiG9w0BAQsFADBB
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0
    aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwMzA0MDAwMDAwWhcNMTgwMzAzMjM1OTU5
    WjCBjTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ8wDQYDVQQHFAZBdXN0
    aW4xIDAeBgNVBAoUF0NvbnRpbnV1bSBBbmFseXRpY3MgSW5jMR8wHQYDVQQLFBZJ
    bmZvcm1hdGlvbiBUZWNobm9sb2d5MRowGAYDVQQDFBFyZXBvLmNvbnRpbnV1bS5p
    bzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdbWADchs12kIrNd2nc
    iC2gE/PGfRjpoZMUD/gd8pN6Bd8fH0CxGbImzeGt+Z6yA1XoLwsn/wV8SnKCzoum
    3gXgiNq4sz74R6r+8l/3EHhgQQ70vQm4fGYrD4qu1t27zT93DYEWTX7zqcNHD09T
    jieT4pe8kcy532wwNk9FpYNehj82fqIWTw7wv5gq3cGdzQMRFe436zX2b7SONwF+
    1mtUpndPSLjrEHNE3P7L3uXwi/NsKD+3/809hqPbbXQkbWqn4x0uJSkCAWI0+ZTC
    5buwfKBAqE1+wtD3er6Gs+ETgsqvS0Zz5OkfiAZrF6dLkINsBt5/e+djkzWVfGRa
    a7UCAwEAAaOCAXcwggFzMBwGA1UdEQQVMBOCEXJlcG8uY29udGludXVtLmlvMAkG
    A1UdEwQCMAAwcgYDVR0gBGswaTBnBgpghkgBhvhFAQc2MFkwJgYIKwYBBQUHAgEW
    Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBz
    Oi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHwYD
    VR0jBBgwFoAUwk9IV/zRT5rAXTh9DgXb2S61UmAwKwYDVR0fBCQwIjAgoB6gHIYa
    aHR0cDovL3RqLnN5bWNiLmNvbS90ai5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
    CCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Rq
    LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RqLnN5bWNiLmNvbS90ai5j
    cnQwDQYJKoZIhvcNAQELBQADggEBAHu9oheelxtJ8aYuF5/TI741Gf8bAJbVev1p
    rP/0dHfyod/tS/VmT5b1uKLHw0lgXQmzMasBNm3e7Bzddk/FcGmR/wl4H77fyxXa
    9lukjnf8w9VXcbDMZ6ILzZqgCvuPHtPEwraGMvE3rAZuGOs1+mZ5Gka/1CxdjeQR
    PG8+PtCgYnU0dny37v/eIvyU+kYatQRIPtNI25dT24L1Je+NVfHIeXYsY6IOdpNb
    FkYY9c7t0UlyIZreIM2w0zRPAdyajPZ7ojapkeOvWXi7Snt2/REvI7N428FKIJOv
    juSyQA6T/1UPjlOn+ReisDog8NZiEjMtRbk5xWGFTisx43UHWkM=
    -----END CERTIFICATE-----
     1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
       i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    -----BEGIN CERTIFICATE-----
    MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB
    qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
    Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
    MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
    BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTMxMDMxMDAwMDAwWhcNMjMx
    MDMwMjM1OTU5WjBBMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMu
    MRswGQYDVQQDExJ0aGF3dGUgU1NMIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQCy/Ab7BJPS6lkgO0SFl1I55xDweuCwlEDaRvgMKLu5zmA4
    P9LYEUIbka1J7o/H3mzeN2/9iyA8bed009zVJIhBgInuNr7E1b6NUxOq5KW4kwq+
    7NrNPNQyVu/QTqC4l7s5UB5uZcP9ss7gWalICcb+vq78PjuBIJeLj0bfYGQHdbsb
    hjifR3s0zqHRl6122J+3Jtt5gDZI8sU3+NkyrnykU4HHmaFUOC9PdaC7WqW7zawC
    WxkC1RMYp86sdFUSBYubopVGZHI4zVobOhanvnGZjFQDuJZsAdM+Bpg/IYE7An4A
    R1MBHg5GQ/tLLdwLGugvmPh+0ZmrE2ykF95v9hX1AgMBAAGjggE7MIIBNzASBgNV
    HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAyBgNVHR8EKzApMCegJaAj
    hiFodHRwOi8vdDEuc3ltY2IuY29tL1RoYXd0ZVBDQS5jcmwwLwYIKwYBBQUHAQEE
    IzAhMB8GCCsGAQUFBzABhhNodHRwOi8vdDIuc3ltY2IuY29tMEEGA1UdIAQ6MDgw
    NgYKYIZIAYb4RQEHNjAoMCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUu
    Y29tL2NwczApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0ktMS01
    MzcwHQYDVR0OBBYEFMJPSFf80U+awF04fQ4F29kutVJgMB8GA1UdIwQYMBaAFHtb
    Rc+vzst6/TGSGmq280brV0hQMA0GCSqGSIb3DQEBCwUAA4IBAQCNBt5DyXYCytkj
    l17zY9d9RMIPawr1B+WLuPrgo/prgJK1AyzFN+DC5ZW1knAYKEKU7kt3agEPiyPs
    Vk30AGnlhMji6t5bPvY8BzqUymwnscyDGmBxJ9K/AvUeRNNI1abTdiEAnPqYZOsX
    Nj/rGzw+prHZWAYOctlovvGnINdS5KR3H3FwnVU1hTfhHU2UwnB/lUBuS32ytCkq
    A3nIuUxnYQSgiyf/WQDrVX/GtzM1LV5OrLjqEsXo97mrvnSSLLfZTcqELxzC8HJ8
    sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq
    YBLqJop4
    -----END CERTIFICATE-----
     2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
       i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
    -----BEGIN CERTIFICATE-----
    MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
    zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
    Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
    CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
    d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
    cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow
    gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT
    H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy
    MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
    VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC
    d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN
    vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68
    0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV
    L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u
    KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB
    /wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz
    Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU
    e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny
    bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN
    AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe
    Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq
    95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=Texas/L=Austin/O=Continuum Analytics Inc/OU=Information Technology/CN=repo.continuum.io
    issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4201 bytes and written 444 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 2F80B9B516A019A4876BA9BE7790ECDD4C4BD2DC67166D507C11E017E5546F18
        Session-ID-ctx: 
        Master-Key: 633D4DADBD237B743E8C4CC7EE9CB64EB3DA9249B0DCED03DE74D9362240D929412C84A47BB52DE73A54492EA35C685D
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 4e 27 e6 31 e4 1d 54 33-de 94 18 1f 46 d7 cf bd   N'.1..T3....F...
        0010 - be 30 9b fa 7d 8d 85 e1-8e a8 e6 4c c0 3a 22 a5   .0..}......L.:".
        0020 - b5 6e 03 31 25 12 ba 60-4b 8c 4d 25 59 ed 9c b0   .n.1%..`K.M%Y...
        0030 - 26 46 17 f1 f1 5c 98 b2-72 6c 79 e7 1c 99 36 9d   &F...\..rly...6.
        0040 - cf 60 e0 86 d4 75 2a e4-be b1 c8 fe a4 6c 98 b0   .`...u*......l..
        0050 - 5e dc 99 ce 67 be 07 1b-a3 76 fe b7 da c8 20 fb   ^...g....v.... .
        0060 - 3b 7e fc e8 68 e9 38 a0-ee 8d 94 50 79 ca 7d 52   ;~..h.8....Py.}R
        0070 - fd 81 88 91 97 ac 8d df-b2 b0 86 a5 92 22 47 74   ............."Gt
        0080 - 88 5a 0a e3 e9 42 a6 0c-5c 13 02 3d 64 8d 4d af   .Z...B..\..=d.M.
        0090 - 9e a9 90 3e f9 3f ef 9f-2a fe ff 36 9c 7e 00 f4   ...>.?..*..6.~..

        Start Time: 1456446048
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---

[msarahan]

Reopening until we have a workaround.

[lilmatt]

One workaround is using curl --insecure to download it

[andreas-h]

Thanks for pointing towards a workaround.

Can you please advise how to apply this workaround when using the conda command line utility to install packages? A simple conda install PACKAGENAME is indeed affected by this issue; using curl doesn't help in that case.

[jseabold]

Any updates on this? The issue was closed as invalid on the Ubuntu tracker AFAICT.

[remram44]

On Ubuntu 14.04 (libssl now 1.0.1f-1ubuntu2.18), curl is fixed, but openssl s_client still isn't (that was security issue USN-2913-3).

Debian is reacting hopelessly slowly to all this.

[jseabold]

Ran into this for the first time last night. Using latest ubuntu:14.04 docker image with openssl 1.0.1f-1ubuntu2.18. User error?

root@14368037501a:/# dpkg -s openssl
Package: openssl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 907
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 1.0.1f-1ubuntu2.18
Depends: libc6 (>= 2.15), libssl1.0.0 (>= 1.0.1)
Suggests: ca-certificates
Conffiles:
 /etc/ssl/openssl.cnf 7df26c55291b33344dc15e3935dabaf3
Description: Secure Sockets Layer toolkit - cryptographic utility
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It contains the general-purpose command line binary /usr/bin/openssl,
 useful for cryptographic operations such as:
  * creating RSA, DH, and DSA key parameters;
  * creating X.509 certificates, CSRs, and CRLs;
  * calculating message digests;
  * encrypting and decrypting with ciphers;
  * testing SSL/TLS clients and servers;
  * handling S/MIME signed or encrypted mail.
Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
root@14368037501a:/# curl --capath /usr/lib/ssl/certs https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
root@14368037501a:/# wget --ca-directory=/usr/lib/ssl/certs https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
--2016-03-31 14:13:06--  https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
Resolving repo.continuum.io (repo.continuum.io)... 107.20.210.103, 54.243.153.81, 54.197.250.243
Connecting to repo.continuum.io (repo.continuum.io)|107.20.210.103|:443... connected.
ERROR: cannot verify repo.continuum.io's certificate, issued by ‘/C=US/O=thawte, Inc./CN=thawte SSL CA - G2’:
  Unable to locally verify the issuer's authority.
To connect to repo.continuum.io insecurely, use `--no-check-certificate'.

[remram44]

@jseabold does curl work without --capath?

[jseabold]

No

root@7cc2a144eac0:/# curl -LO https://repo.continuum.io/miniconda/Miniconda-latest-Linux-x86.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[TomFreudenberg]

Hi, maybe this helps as a work-around fix for you too:

https://github.com/4commerce-technologies-AG/meteor/issues/37#issuecomment-184310053

[ssbarnea]

We were hit by the same error and clearly any way to avoid SSL verification would be a huge security issue which should be avoided even if that's only for testing purpose.

[jmfee-usgs]

Ran into a similar problem building debian:jessie based docker images that use conda, after our organization started using an SSL proxy. Here are the steps I took to use conda with our organization's custom ssl certificate.

• make sure ca-certificates is updated:

apt-get install -y ca-certificates

• add organization certificate in /usr/local/share/ca-certificates/, then run update-ca-certificates to add to OS bundle. Note the .crt extension which is required, I used PEM format within the file)

mkdir -p /usr/local/share/ca-certificates
cp organization_certificate.crt /usr/local/share/ca-certificates/.
update-ca-certificates

• update conda to point to OS bundle

conda config --set ssl_verify /etc/ssl/certs/ca-certificates.crt