Failed to update index repository crates-io: [60] SSL peer certificate or SSH remote key was not OK (Peer's Certificate issuer is not recognized.).

[woshilapin]

Whenever I try to run a command to update a package (or all packages), I end up with the following error.

❯ cargo install-update bat
    Polling registry 'https://index.crates.io/'
Failed to update index repository crates-io: package bat: HTTP 0.
❯ cargo install-update --list
    Polling registry 'https://index.crates.io/'
Failed to update index repository crates-io: package alacritty: HTTP 0.

I'm not sure what causes this. I was able to work with cargo-update for months (possibly years) without any problem. A possible cause would be my update to the latest Ubuntu 23.04 (the current error is one of the first things I did since I updated my Ubuntu).

I did reinstall entirely cargo-update with cargo install cargo-update, but same result.

[nabijaczleweli]

What if you run CARGO_REGISTRIES_CRATES_IO_PROTOCOL=git cargo install-update -l? Do you have any non-default config in ~/.cargo?

That's a very weird error, because it means that libcurl ended the index request but returned a zero status, indeed

The stored value will be zero if no server response code has been received.

[nabijaczleweli]

Can you try the current master branch (at least 743d5ab48e2f79932f44f3e0c9f2cc1747b51952)? It should write a useful message for this error and thus should help debug what the error actually is.

[woshilapin]

First, thank you for the very fast reply.

What if you run CARGO_REGISTRIES_CRATES_IO_PROTOCOL=git cargo install-update -l?

This command does work.

Do you have any non-default config in ~/.cargo?

I did happen to have the following configuration in ~/.cargo/config.toml.

[registries.crates-io]
protocol = "sparse"

but that was one of the thing I suspected so I commented it before reporting the issue. So with or without this configuration, I can see the same error.

Can you try the current master branch (at least 743d5ab)? It should write a useful message for this error and thus should help debug what the error actually is.

❯ cargo run --release --bin cargo-install-update -- install-update --list
    Finished release [optimized] target(s) in 0.05s
     Running `target/release/cargo-install-update install-update --list`
    Polling registry 'https://index.crates.io/'
Failed to update index repository crates-io: package alacritty: [60] SSL peer certificate or SSH remote key was not OK (Peer's Certificate issuer is not recognized.).

I can see in the changelog of the new Ubuntu version that they did update the list of Certificate Authorities (look for the section Security Improvements in release notes).

Sorry, don't have much time to dig more right now. I'll try to see these authorities when time allows.

[nabijaczleweli]

cargo-update defaults to registries.crates-io.protocol = "sparse" on all versions that support it (much like cargo will since 1.70).

"Certificate issuer is not recognised" is, as insane as it looks, correct, at least for me?

The certificate looks to be

$ echo | openssl s_client -showcerts -servername index.crates.io -connect index.crates.io:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:a1:e6:f1:65:62:52:6b:7c:f3:e5:6b:10:f3:44:2f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Amazon, CN = Amazon RSA 2048 M02
        Validity
            Not Before: Jan 25 00:00:00 2023 GMT
            Not After : Feb 23 23:59:59 2024 GMT
        Subject: CN = crates.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e6:2b:e9:d9:bf:07:2a:86:92:c8:0a:bf:1a:de:
                    19:25:b1:0b:2f:f1:61:54:d5:e1:9c:79:8f:bd:d8:
                    6f:90:3e:af:b4:64:b1:25:08:5b:00:27:ed:34:10:
                    78:2a:8a:fc:cc:af:ba:a3:59:90:4a:94:75:48:d9:
                    d0:e4:e2:89:22:4a:38:b3:e7:bb:a7:8b:6e:15:5d:
                    db:e0:b4:b1:87:e9:cd:05:99:81:4e:f1:26:6f:99:
                    c2:56:cf:dc:ef:c8:57:b4:b3:ee:e3:c5:ac:e2:b7:
                    7e:52:3c:fa:64:47:06:7c:ad:79:5f:e5:d3:d3:8b:
                    09:16:84:11:4a:79:13:c2:13:b7:0e:c4:57:c1:45:
                    f1:85:c9:2f:34:97:a7:47:a8:b4:74:7d:d4:9b:92:
                    3b:b0:87:f3:83:13:05:87:ae:9a:92:0d:8f:13:cb:
                    3b:fe:83:34:54:26:38:fb:d8:70:bd:64:53:aa:9c:
                    fe:07:28:b7:5c:ed:4f:87:e0:59:72:f2:61:2f:09:
                    f8:b7:f2:9d:19:a4:94:ec:45:7c:fa:a8:4d:bb:89:
                    8f:e9:db:23:09:8d:37:1a:98:5a:d7:00:af:96:1e:
                    15:87:f4:ec:a9:1d:d1:e2:83:e1:86:88:61:f9:6d:
                    d8:76:b4:de:f0:37:aa:b3:99:d6:f5:7a:ed:07:df:
                    05:fd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:C0:31:52:CD:5A:50:C3:82:7C:74:71:CE:CB:E9:9C:F9:7A:EB:82:E2

            X509v3 Subject Key Identifier:
                1D:A3:A5:20:A8:ED:8D:EB:5E:DC:4E:99:03:E7:8B:FB:D0:F0:88:5D
            X509v3 Subject Alternative Name:
                DNS:crates.io, DNS:cloudfront-static.crates.io, DNS:index.crates.io, DNS:static.crates.io
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.r2m02.amazontrust.com/r2m02.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

            Authority Information Access:
                OCSP - URI:http://ocsp.r2m02.amazontrust.com
                CA Issuers - URI:http://crt.r2m02.amazontrust.com/r2m02.cer

            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Jan 25 09:21:02.180 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:F1:DD:B8:A2:29:92:81:EC:22:87:31:
                                4A:B6:E5:C3:4B:17:94:46:85:FA:A3:46:5D:13:7C:0D:
                                44:50:9C:3C:9E:02:21:00:D8:A2:FC:89:2C:46:2F:A0:
                                17:75:59:BA:A7:FE:36:91:3A:85:A9:9C:FB:6B:13:25:
                                89:86:FC:80:9E:EC:7D:D4
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 73:D9:9E:89:1B:4C:96:78:A0:20:7D:47:9D:E6:B2:C6:
                                1C:D0:51:5E:71:19:2A:8C:6B:80:10:7A:C1:77:72:B5
                    Timestamp : Jan 25 09:21:02.286 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:46:06:F1:5B:4C:B0:87:91:14:CC:EF:5A:
                                F4:C2:C9:47:8D:C6:AB:CB:C5:26:19:0E:EB:77:BC:2C:
                                99:97:28:04:02:20:3D:96:15:9E:2D:82:20:AD:3E:53:
                                B6:A2:8E:57:B5:2E:A1:0F:0C:8D:94:B6:09:C5:B6:B2:
                                86:79:F5:E1:74:05
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
                    Timestamp : Jan 25 09:21:02.228 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:4D:FD:74:59:AA:C4:05:14:9A:22:62:19:
                                6F:47:4B:4F:D5:6C:42:2D:D3:00:BD:54:8D:23:0A:58:
                                BD:4F:6F:24:02:21:00:C7:5F:52:97:61:F3:87:AD:84:
                                D2:D2:12:9B:9A:75:BE:61:AB:2B:72:7E:9B:7B:B7:7E:
                                6E:7E:61:CB:82:75:45
    Signature Algorithm: sha256WithRSAEncryption
         8d:fe:8e:5d:c0:18:5a:81:56:ad:c0:9a:8f:7b:bb:ce:af:ff:
         31:f2:90:64:10:16:f6:fd:2f:21:5d:84:88:70:f0:e9:88:fc:
         2f:3d:62:65:32:f9:91:15:b1:cd:06:04:ee:63:7f:75:eb:fe:
         d5:03:89:d8:20:6d:1b:da:6a:36:91:d6:5b:f9:85:60:ba:1e:
         30:12:83:87:57:ff:cf:1e:c3:97:8a:c5:5f:5d:76:37:0d:6f:
         5e:5b:ce:ec:56:3c:bc:3e:5f:63:40:ab:d4:be:41:19:e4:0d:
         99:2b:fd:55:b4:ad:84:a7:bb:76:0e:13:0c:72:b3:9e:89:48:
         3c:c7:c7:f5:16:aa:45:07:6f:56:ec:3b:a8:b1:c4:df:2c:6c:
         a8:cc:e1:40:de:07:d5:87:bc:b1:ce:f3:90:7c:6f:9a:e0:b6:
         aa:d3:da:f2:2a:3b:5c:2d:c7:1a:37:4d:8e:f6:78:31:2a:bb:
         c3:75:31:f6:ad:4c:46:8e:68:91:10:bb:ce:a6:78:63:bb:59:
         bc:7a:41:05:f7:38:97:37:ba:53:db:07:0f:bf:a3:6b:17:bd:
         8c:72:db:9d:6c:90:94:70:bf:28:b4:d1:d1:a1:c4:64:a5:46:
         66:c6:1a:65:e9:59:8f:7b:08:f9:18:d6:22:70:43:bd:ee:27:
         8a:b1:52:3d

OTOH, it does work on bullseye and sid, as well as my pretty old win32, so hell knows.

[woshilapin]

I'm guessing I will not be the only one to have such certificate issues on the new Ubuntu then. Let's wait for the dust to settle, I'm guessing this should be resolved relatively quick.

[nabijaczleweli]

Yep, that was also what I was gonna do (not that I can do much more :v)

I'll just upload a new release – v13.0.2 – with the improved error reporting and make the issue subject reflective of the new error

[woshilapin]

Let's wait for the dust to settle The dust as settled, there seems to have been not much activity on this issue since. I'm closing it. Feel free to reopen if you feel that it should stay open.