search

Homebrew / brew

🍺 The missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
40.95k stars 9.61k forks source link

SSL error with any bottle from bintray #1284

Closed Blaisorblade closed 7 years ago

Blaisorblade commented 7 years ago

Please follow the general troubleshooting steps first:

Upgrading/installing any package fails downloading bottles with the same SSL error:

$ brew install suite-sparse
==> Installing suite-sparse from homebrew/science
==> Installing dependencies for homebrew/science/suite-sparse: tbb
==> Installing homebrew/science/suite-sparse dependency: tbb
==> Downloading https://homebrew.bintray.com/bottles/tbb-4.4-20160916.el_capitan.bottle.tar.gz

curl: (51) SSL: certificate verification failed (result: 5)
Error: Failed to download resource "tbb"
Download failed: https://homebrew.bintray.com/bottles/tbb-4.4-20160916.el_capitan.bottle.tar.gz
Warning: Bottle installation failed: building from source.
==> Installing dependencies for tbb: swig
==> Installing tbb dependency: swig
==> Downloading https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz

curl: (51) SSL: certificate verification failed (result: 5)
Error: Failed to download resource "swig"
Download failed: https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz
Warning: Bottle installation failed: building from source.
==> Using the sandbox
==> Downloading https://downloads.sourceforge.net/project/swig/swig/swig-3.0.10/swig-3.0.10.tar.gz
^C
$ curl -v -L https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz
*   Trying 5.153.35.248...
* Connected to homebrew.bintray.com (5.153.35.248) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.bintray.com
* Server certificate: GeoTrust SSL CA - G3
* Server certificate: GeoTrust Global CA
> GET /bottles/swig-3.0.10.el_capitan.bottle.tar.gz HTTP/1.1
> Host: homebrew.bintray.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302
< Server: nginx
< Date: Thu, 13 Oct 2016 12:49:14 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://akamai.bintray.com/81/81cc6f9f504d1a3631869e91398c0947c7423c867a3fbfc199dc28e8519b252a?__gda__=exp=1476363674~hmac=df10dd8ecf3a4a9cd38c0027478957127a32f8f678f83dc9ea210045b8da1277&response-content-disposition=attachment%3Bfilename%3D%22swig-3.0.10.el_capitan.bottle.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX1-RiSZvkGBl3_0l4toCPGSjFyUovsjbzScg9J96Uy65gIv7QXr9fOxTdzl4iDVQMIub8WnLn2nf6FG4qydsl_enVd-1LAQH-MB0CIkV7QMjrZmqUz5J9XDpUrmQWaLuehR_vb1Yi41pNQ
<
* Connection #0 to host homebrew.bintray.com left intact
* Issue another request to this URL: 'https://akamai.bintray.com/81/81cc6f9f504d1a3631869e91398c0947c7423c867a3fbfc199dc28e8519b252a?__gda__=exp=1476363674~hmac=df10dd8ecf3a4a9cd38c0027478957127a32f8f678f83dc9ea210045b8da1277&response-content-disposition=attachment%3Bfilename%3D%22swig-3.0.10.el_capitan.bottle.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX1-RiSZvkGBl3_0l4toCPGSjFyUovsjbzScg9J96Uy65gIv7QXr9fOxTdzl4iDVQMIub8WnLn2nf6FG4qydsl_enVd-1LAQH-MB0CIkV7QMjrZmqUz5J9XDpUrmQWaLuehR_vb1Yi41pNQ'
*   Trying 23.5.101.133...
* Connected to akamai.bintray.com (23.5.101.133) port 443 (#1)
* SSL: certificate verification failed (result: 5)
* Closing connection 1
curl: (51) SSL: certificate verification failed (result: 5)

My curl is the one from OS X 10.11.6:

$ which curl
/usr/bin/curl
$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

This is a dup from #849, but I've checked through the Troubleshooting page and common issues. https://github.com/Homebrew/brew/blob/master/docs/Common-Issues.md

I've also upgraded curl (which didn't help), tried brew link --force curl (which didn't help), tried upgrading openssl (currently building from source). For extra fun, downloading the makedepend bottle did work.

$ brew upgrade openssl
==> Upgrading 1 outdated package, with result:
openssl 1.0.2j
==> Upgrading openssl
==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2j.el_capitan.bottle.tar.gz

curl: (51) SSL: certificate verification failed (result: 5)
Error: Failed to download resource "openssl"
Download failed: https://homebrew.bintray.com/bottles/openssl-1.0.2j.el_capitan.bottle.tar.gz
Warning: Bottle installation failed: building from source.
==> Installing dependencies for openssl: makedepend
==> Installing openssl dependency: makedepend
==> Downloading https://homebrew.bintray.com/bottles/makedepend-1.0.5.el_capitan.bottle.1.tar.gz
######################################################################## 100.0%
==> Pouring makedepend-1.0.5.el_capitan.bottle.1.tar.gz
🍺  /usr/local/Cellar/makedepend/1.0.5: 7 files, 72.6K
==> Using the sandbox
==> Downloading https://www.openssl.org/source/openssl-1.0.2j.tar.gz
######################################################################## 100.0%
==> perl ./Configure --prefix=/usr/local/Cellar/openssl/1.0.2j --openssldir=/usr/local/etc/openssl no-ssl2 zlib-dynamic shared enable-cms darwin64-x86_64-cc enable-ec_nistp_64_gcc
==> make depend
MikeMcQuaid commented 7 years ago

What does curl https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz output? What's your brew config?

Blaisorblade commented 7 years ago

The output of curl -v -L https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz is above; plain curl outputs nothing because it doesn't follow redirections:

$ curl https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz
$ echo $?
0
$ ls swig*
gls: cannot access 'swig*': No such file or directory
$ curl -v https://homebrew.bintray.com/bottles/swig-3.0.10.el_capitan.bottle.tar.gz
*   Trying 5.153.35.248...
* Connected to homebrew.bintray.com (5.153.35.248) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.bintray.com
* Server certificate: GeoTrust SSL CA - G3
* Server certificate: GeoTrust Global CA
> GET /bottles/swig-3.0.10.el_capitan.bottle.tar.gz HTTP/1.1
> Host: homebrew.bintray.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302
< Server: nginx
< Date: Thu, 13 Oct 2016 13:15:24 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://akamai.bintray.com/81/81cc6f9f504d1a3631869e91398c0947c7423c867a3fbfc199dc28e8519b252a?__gda__=exp=1476365244~hmac=15e6d5a99ee7e6f3e274fba7dd547444eb77868530f43d5682e66a84b03ce811&response-content-disposition=attachment%3Bfilename%3D%22swig-3.0.10.el_capitan.bottle.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX1_1rBM4hypfnJ-1D_pwAp8q0un68uwmyl9VYDCO_MGzNXVym3ELJ2IsXqJr6VVzuFZZByIvEDtpE-sgjOt2YGYYFPFlw_6Bun2K_nTZHeiqgEbec2nXA0dm_xoXWJmc7uPsCP7neIqx-g
<
* Connection #0 to host homebrew.bintray.com left intact

Configuration:

$ brew config
HOMEBREW_VERSION: 1.0.7-42-g8d6921d
ORIGIN: https://github.com/Homebrew/brew.git
HEAD: 8d6921d7f3bfc7be5770cfe2a30791e9a35d9cc2
Last commit: 5 hours ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: d1a9707a6e77e1aa09440bfdf555c9ac8e6efb26
Core tap last commit: 85 minutes ago
HOMEBREW_PREFIX: /usr/local
HOMEBREW_REPOSITORY: /usr/local/Homebrew
HOMEBREW_CELLAR: /usr/local/Cellar
HOMEBREW_BOTTLE_DOMAIN: https://homebrew.bintray.com
CPU: octa-core 64-bit haswell
Homebrew Ruby: 2.0.0-p648
Clang: 7.3 build 703
Git: 2.10.0 => /usr/local/bin/git
Perl: /usr/local/bin/perl => /usr/local/Cellar/perl/5.24.0_1/bin/perl
Python: /usr/local/bin/python => /usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/bin/python2.7
Ruby: /usr/local/bin/ruby => /usr/local/Cellar/ruby/2.3.1/bin/ruby
Java: 1.8.0_92, 1.7.0_80
macOS: 10.11.6-x86_64
Xcode: N/A
CLT: 7.3.1.0.1.1461711523
X11: 2.7.9 => /opt/X11
MikeMcQuaid commented 7 years ago

There's nothing we can do here, I'm afraid. I suggest you contact Bintray support.

Blaisorblade commented 7 years ago

I googled this and it turned out to be a duplicate of https://github.com/Homebrew/legacy-homebrew/issues/49373 and https://github.com/Homebrew/legacy-homebrew/issues/32019.

Can I open an issue to add this to brew doctor as suggested in https://github.com/Homebrew/legacy-homebrew/issues/49373#issuecomment-228568090? I'm uneasy with that as you seem to try to close issues as fast as possible, even though somebody else could work on them; in most other projects, the issue tracker has issues which are open to the community.

MikeMcQuaid commented 7 years ago

I'm uneasy with that as you seem to try to close issues as fast as possible, even though somebody else could work on them; in most other projects, the issue tracker has issues which are open to the community.

Could you try and open a pull request? This document should help and I'm happy to walk you through anything else. It should be pretty straightforward, you're checking for if ENV["SSL_CERT_FILE"] and printing a message if that's the case.

Closing an issue does not mean the community cannot address it; the problem with leaving these things open is they tend to sit that way indefinitely.

There's a general approach in https://github.com/Homebrew/brew/issues/932 that I'll be working on soonish and will fix all these issues.

Thanks!

mpatnode commented 7 years ago

JFYI: Comcast definitely has a problem with bintray.com. Switching to my VPN solved it.