no trust anchor file found

[Gau-thier]

I am facing the following error on my project:

Uncaught exception:

  (Failure
    "ca-certs: no trust anchor file found, looked into /etc/ssl/certs/ca-bundle.crt.\
   \nPlease report an issue at https://github.com/mirage/ca-certs, including:\
   \n- the output of uname -s\
   \n- the distribution you use\
   \n- the location of default trust anchors (if known)\
   \n")

Here are the details:

$ uname -s
Darwin

$ sw_vers
ProductName:    macOS
ProductVersion: 12.6
BuildVersion:   21G115

[hannesm]

Thanks for your report. Would you mind to run the command security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain and provide the output?

[mcstafford-git]

security find-certificate -a -p

I've got a similar problem on a debian with a few cert issues. It seems there's some cruft from previous config. One of the messages refers to a path that no longer exists, so it may be related to an error-handling issue having to do with missing or null values.

I re-created the missing directory and appended the content from another file to the absent file to work around it.

After that semgrep --config auto worked without an error.

[hannesm]

Thanks for your comment. On debian, the following paths should be looked up in order: ( Debian/Ubuntu/Gentoo etc. ) "/etc/ssl/certs/ca-certificates.crt"; ( CentOS/RHEL 7 ) "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"; ( OpenSUSE ) "/etc/ssl/ca-bundle.pem";

So, does "/etc/ssl/certs/ca-certificates.crt" exist on your system and is a file?

It seems there's some cruft from previous config.

Sorry to hear about that.

One of the messages refers to a path that no longer exists, so it may be related to an error-handling issue having to do with missing or null values.

Would you mind to elaborate: which path does no longer exist? And which "error-handling issues" are you talking about?

[m1ssya]

Can I customize the path of the trust anchor file?

[hannesm]

Can I customize the path of the trust anchor file?

Yes indeed -- as documented in the API docs https://ocaml.org/p/ca-certs/latest/doc/Ca_certs/index.html#val-trust_anchors you can set the environment variable(s) "SSL_CERT_FILE" or "NIX_SSL_CERT_FILE", which are then respected.

[m1ssya]

Can I customize the path of the trust anchor file?

Yes indeed -- as documented in the API docs https://ocaml.org/p/ca-certs/latest/doc/Ca_certs/index.html#val-trust_anchors you can set the environment variable(s) "SSL_CERT_FILE" or "NIX_SSL_CERT_FILE", which are then respected.

Thank you so much, it works