Some hosts rejecting the SSL certificate on install.

[Tarang]

Previously this command used to work, a few days ago:

curl -sSL https://cli.openfaas.com | sh
..

Now it does this:

$ curl -sSL https://cli.openfaas.com | sh
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Expected Behaviour

Expect it to install

Current Behaviour

Returns SSL validation issue

Are you a GitHub Sponsor (Yes/No?)

No

Check at: https://github.com/sponsors/openfaas

• [ ] Yes
• [ ] No

List All Possible Solutions and Workarounds

Make it insecure

Which Solution Do You Recommend?

Steps to Reproduce (for bugs)

1. Use Google cloud build
2. Run install command on bash

Context

Your Environment

Google cloud build bash

• FaaS-CLI version ( Full output from: faas-cli version ):

• Docker version ( Full output from: docker version ):

• Are you using Docker Swarm (FaaS-swarm ) or Kubernetes (FaaS-netes)?

• Operating System and version (e.g. Linux, Windows, MacOS):

• Link to your project or a code example to reproduce issue:

[alexellis]

Hi, unfortunately we cannot reproduce this error, so it may be down to your ISP or local government interfering with your connection. Where do you live?

The good news is that you can simply download the binary here: https://github.com/openfaas/faas-cli/releases

Alex

[Tarang]

This happens on Google cloud build with the standard bash, not my environment.

[alexellis]

There's a valid TLS certificate being served by GitHub Pages, perhaps raise a support ticket with your GCP account manager?

curl -v https://cli.openfaas.com
*   Trying 167.99.242.112...
* TCP_NODELAY set
* Connected to cli.openfaas.com (167.99.242.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=cli.openfaas.com
*  start date: Aug 20 12:00:16 2021 GMT
*  expire date: Nov 18 12:00:15 2021 GMT
*  subjectAltName: host "cli.openfaas.com" matched cert's "cli.openfaas.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x12000d600)
> GET / HTTP/2
> Host: cli.openfaas.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
< HTTP/2 301 
< cache-control: public, max-age=0, must-revalidate
< content-length: 22
< content-type: text/plain; charset=utf-8
< date: Thu, 30 Sep 2021 05:02:51 GMT
< server: Netlify
< location: /get.sh
< x-nf-request-id: 01FH7RTA9H9TAE1442Q7Z2GEXX
< age: 444052
< 
* Connection #0 to host cli.openfaas.com left intact
Redirecting to /get.sh* Closing connection 0

[Tarang]

I can see that on my machine,

the product is fully managed (https://cloud.google.com/build) so we dont get to control the instances. I guess i was wondering if you had any recent certificate or setting changes? I would hate to use the --insecure option

[alexellis]

The certificate is valid, so I would suggest that you take it up with your Google Cloud rep. Why don't you download the binary from the linked releases page? Does GitHub also give you invalid TLS errors?

I'm not sure what you want me to say?

[alexellis]

This also came to mind: https://portswigger.net/daily-swig/lets-encrypt-root-cert-update-catches-out-many-big-name-tech-firms

[Tarang]

Yup that looks like it, easy to reproduce & fix

docker run -it --entrypoint /bin/bash gcr.io/cloud-builders/docker
..
$ curl https://cli.install.com -v
$ curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRL...

$ apt-get install libgnutls30
$ curl https://cli.install.com -v
..
$ Connected to cli.openfaas.com (34.194.149.67) port 443 (#0)
..

So that solves it! It was just the root ca had expired. Kind of strange they haven't still solved it & have no open tickets anywhere about the issue.

Note: The install is libgnutls30 but it really allows the new CA to be used and updates it somehow.