search

Homebrew / homebrew-core

🍻 Default formulae for the missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
13.77k stars 12.45k forks source link

Curl fails saying "unknown CA" #122355

Closed Rylan12 closed 1 year ago

Rylan12 commented 1 year ago

brew gist-logs <formula> link OR brew config AND brew doctor output

$ brew config
HOMEBREW_VERSION: 3.6.20-259-g4b6c906
ORIGIN: https://github.com/Homebrew/brew
HEAD: 4b6c90679341e1c161fe913bca9af8fdd85bc1cf
Last commit: 6 minutes ago
Core tap origin: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 5f1582e4d551b8cfdfbb43d43df5fc6c0e76a502
Core tap last commit: 86 minutes ago
Core tap branch: master
Core tap JSON: 05 Feb 17:21 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_AUTOREMOVE: set
HOMEBREW_BAT: set
HOMEBREW_BAT_CONFIG_PATH: /Users/rylanpolster/.dotfiles/batconfig
HOMEBREW_BOOTSNAP: set
HOMEBREW_CASK_OPTS: []
HOMEBREW_DEVELOPER: set
HOMEBREW_EDITOR: vim
HOMEBREW_FORCE_BREWED_GIT: set
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_GITHUB_PACKAGES_TOKEN: set
HOMEBREW_GITHUB_PACKAGES_USER: Rylan12
HOMEBREW_INSTALL_FROM_API: set
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_NO_AUTO_UPDATE: set
HOMEBREW_PRY: set
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 14.0.0 build 1400
Git: 2.39.1 => /opt/homebrew/opt/git/bin/git
Curl: 7.85.0 => /usr/bin/curl
macOS: 13.1-arm64
CLT: N/A
Xcode: 14.2
Rosetta 2: false

$ brew doctor
Your system is ready to brew.

Verification

What were you trying to do (and why)?

Use Homebrew's curl or other formulae that depend on Homebrew's curl like wget or youtube-dl

What happened (include all command output)?

I get this error when using curl:

$ /opt/homebrew/opt/curl/bin/curl -vvv https://example.com
*   Trying 93.184.216.34:443...
* Connected to example.com (93.184.216.34) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And similar errors appear when Homebrew curl is used in other things. For example:

$ wget https://formulae.brew.sh/api/formula/hello.json
--2023-02-05 18:33:38--  https://formulae.brew.sh/api/formula/hello.json
Resolving formulae.brew.sh (formulae.brew.sh)... 185.199.111.153, 185.199.108.153, 185.199.109.153, ...
Connecting to formulae.brew.sh (formulae.brew.sh)|185.199.111.153|:443... connected.
ERROR: cannot verify formulae.brew.sh's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
To connect to formulae.brew.sh insecurely, use `--no-check-certificate'.

I've tried reinstalling ca-certificates several times which does not seem to work. There do not appear to be new versions available for ca-certificates or curl (checking both with livecheck and manually).

I also tried setting HOMEBREW_NO_INSTALL_FROM_API and reinstall ca-certificates and curl with no luck.

What did you expect to happen?

No errors and normal curl/wget behavior.

Step-by-step reproduction instructions (by running brew commands)

brew install curl
curl -vvv https://example.com

CC @woodruffw, @EricFromCanada, @SMillerDev, @samford (Sorry if I tagged you but you're not interested, you all are just the the folks I was talking about this to earlier)

woodruffw commented 1 year ago

Just to roughly summarize my guess earlier: my first thought was that ca-certificates is out of date, and is missing an intermediate cert for the Let's Encrypt CA.

Given that ca-certificates appears to be up-to-date, my other guess would be a regression in certificate validation for cross-signed certs in whatever SSL library both curl and wget use, but that also looks unlikely (since both openssl@1.1 and openssl@3 haven't been updated since November).

My last guess would be some kind of dumb permissions thing -- curl and wget need the right permissions to read the CA bundle installed by ca-certificates, but that should be true by default.

samford commented 1 year ago

Hmm, I vaguely remember your previous ca-certificates issue likely being resolved by a reinstall (albeit, after you fixed a temporary shim issue you had introduced while debugging), so that's interesting. Maybe we can tinker with it sometime after the AGM's done.

carlocab commented 1 year ago

Works for me (different machines):

❯ /usr/local/opt/curl/bin/curl -vvv https://example.com 2>&1 | rg 'SSL certificate'
*  SSL certificate verify ok.
❯ /opt/homebrew/opt/curl/bin/curl -vvv https://example.com 2>&1 | rg 'SSL certificate'
*  SSL certificate verify ok.

Try:

rm "$(brew --prefix)"/etc/{openssl@{1.1,3},ca-certificates}/cert.pem
brew reinstall ca-certificates
brew postinstall openssl@{1.1,3}
Rylan12 commented 1 year ago

Huh, I got this:

$ rm "$(brew --prefix)"/etc/{openssl@{1.1,3},ca-certificates}/cert.pem
rm: /opt/homebrew/etc/openssl@1.1/cert.pem: No such file or directory
rm: /opt/homebrew/etc/openssl@3/cert.pem: No such file or directory

Running the following seemed to do the trick though:

$ brew reinstall openssl@{1.1,3}

$ brew reinstall ca-certificates

$ brew reinstall curl

$ /opt/homebrew/opt/curl/bin/curl -vvv https://example.com 2>&1 | rg 'SSL certificate'
*  SSL certificate verify ok.

Any idea how that happened or how to stop it from happening again? If not, guess this can be closed. Thanks for your help!

carlocab commented 1 year ago

Post-install for OpenSSL probably didn't run for you before.

Rylan12 commented 1 year ago

Huh, well good to know. Hopefully, that solves it for good this time. Thanks for your help!