search

Unidata / netcdf-c

Official GitHub repository for netCDF-C libraries and utilities.
BSD 3-Clause "New" or "Revised" License
508 stars 262 forks source link

NetCDF 4.9.2: SSL peer certificate or SSH remote key was not OK #2705

Closed Alexander-Barth closed 1 year ago

Alexander-Barth commented 1 year ago

Unfortunately, the issue described here resurface again once updating to netCDF 4.9.2.

If you recall, for the libcurl used in the julia ecosystem, we need to explicitly declare the path for the CA certificates. Previously, we used private function NC_rcfile_insert which does not work anymore in 4.9.2 but in the latest version we have the new public function nc_set_rc instead and call them with the function argument HTTP.SSL.CAINFO and the path "/etc/ssl/certs/ca-certificates.crt". This files does indeed exists on my system and seems to be the correct one to use:

 ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 190243 Feb 13 16:59 /etc/ssl/certs/ca-certificates.crt

When accessing a HTTPS opendap resource, I get the following error:

Error:curl error: SSL peer certificate or SSH remote key was not OK
curl error details: 
Warning:oc_open: Could not read url

This error occurs at the call of nc_open using the URL https://rda.ucar.edu/thredds/dodsC/files/g/ds084.1/2018/20181231/gfs.0p25.2018123118.f003.grib2 (accroding to my web browser the certificate is valid).

With the call to nc_get_rc I get indeed to correct path (/etc/ssl/certs/ca-certificates.crt).

Surprisingly the error persists if I create a file ~/.ncrc with the content:

$ cat .ncrc
HTTP.SSL.CAINFO=/etc/ssl/certs/ca-certificates.crt

I am using Ubuntu 22.04.2 and NetCDF 4.9.2 is compiled with gcc 5.2.

WardF commented 1 year ago

I'll look into this, @DennisHeimbigner does anything immediately leap out at you?

DennisHeimbigner commented 1 year ago

two comments:

  1. try this command: 'chmod go-rwx /etc/ssl/certs/ca-certificates.crt' then try again.
  2. Do you have this PR installed: https://github.com/Unidata/netcdf-c/pull/2690
Alexander-Barth commented 1 year ago
  1. 'chmod go-rwx /etc/ssl/certs/ca-certificates.crt

I get the error from the julia package NetworkOptions: "/etc/ssl/certs/ca-certificates.crt": Permission denied

Also command line curl does not work anymore after this change.

$ curl https://www.github.com
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

I reverted this change. The patch in point 2 seems to work. Thanks!