search

openfaas / faasd

A lightweight & portable faas engine
https://store.openfaas.com/l/serverless-for-everyone-else
Other
3.01k stars 214 forks source link

Trying to run ./hack/install.sh results in curl: (60) SSL certificate problem: unable to get local issuer certificate #197

Closed shrike71 closed 3 years ago

shrike71 commented 3 years ago

After downloading, trying to run ./hack/install.sh results in an error

curl: (60) SSL certificate problem: unable to get local issuer certificate

on an Ubuntu 21.04 VirtualBox guest.

The curl command works as expected with other https sites.

Expected Behaviour

git clone https://github.com/openfaas/faasd --depth=1
cd faasd

./hack/install.sh

faasd outputs intallation process and faasd is installed

Current Behaviour

Finding latest version from GitHub
0.13.0
Hit:1 http://ie.archive.ubuntu.com/ubuntu hirsute InRelease
Get:2 http://ie.archive.ubuntu.com/ubuntu hirsute-updates InRelease [109 kB]
Get:3 http://ie.archive.ubuntu.com/ubuntu hirsute-backports InRelease [101 kB]
Get:4 http://ie.archive.ubuntu.com/ubuntu hirsute-security InRelease [101 kB]
Fetched 310 kB in 2s (176 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
bridge-utils is already the newest version (1.6-5ubuntu1).
curl is already the newest version (7.74.0-1ubuntu2.1).
runc is already the newest version (1.0.0~rc95-0ubuntu1~21.04.2).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.forwarding=1
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Finding latest version from GitHub
0.13.13
Downloading package https://github.com/openfaas/faas-cli/releases/download/0.13.13/faas-cli as /tmp/faas-cli
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2021/08/12 16:32:39 File exists: "/var/lib/faasd/secrets/basic-auth-password"
2021/08/12 16:32:39 File exists: "/var/lib/faasd/secrets/basic-auth-user"
Check status with:
  sudo journalctl -u faasd --lines 100 -f

Login with:
  sudo cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s
Skipping caddy installation as FAASD_DOMAIN.

Are you a GitHub Sponsor (Yes/No?)

Check at: https://github.com/sponsors/openfaas

Steps to Reproduce (for bugs)

1 .git clone https://github.com/openfaas/faasd --depth=1

  1. cd faasd
  2. ./hack/install.sh

Context

faasd will not install. work cannot continue

By extracting some of the curl statements in the install.sh script and running them manually with more verbose logging and a direct reference to the latest installed cacerts.pem file from the curl website, https://curl.se/docs/sslcerts.html and https://curl.se/docs/caextract.html I was able to determine that the issue lies with the domain of a redirected link, further down the fetch chain, for instance, this:

curl -vL --cacert cacerts.pem https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz --output cni-plugins-linux-amd64-v0.8.5.tgz

results in:

* Connected to github.com (140.82.121.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: cacerts.pem
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2363 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Mar 25 00:00:00 2021 GMT
*  expire date: Mar 30 23:59:59 2022 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert, Inc.; CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x564c09744580)
} [5 bytes data]
> GET /containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz HTTP/2
> Host: github.com
> user-agent: curl/7.74.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302
< server: GitHub.com
< date: Thu, 12 Aug 2021 16:40:30 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< permissions-policy: interest-cohort=()
< location: https://github-releases.githubusercontent.com/84575398/0c3a9580-3d52-11ea-87ec-bcc2e12d89fc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210812%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210812T164030Z&X-Amz-Expires=300&X-Amz-Signature=cd155036a110276e88dfad8529a8a28c6e7059723487bb08bc877382457f97f5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=84575398&response-content-disposition=attachment%3B%20filename%3Dcni-plugins-linux-amd64-v0.8.5.tgz&response-content-type=application%2Foctet-stream
< cache-control: no-cache
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events translator.github.com wss://alive.github.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations insights.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com render-temp.githubusercontent.com viewscreen.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-3f088aa2.js gist.github.com/socket-worker-3f088aa2.js
< x-github-request-id: F465:F4C4:140F8D0:14BEAF9:61154EFE
<
* Ignoring the response-body
{ [429 bytes data]
100   640    0   640    0     0   1981      0 --:--:-- --:--:-- --:--:--  1981
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://github-releases.githubusercontent.com/84575398/0c3a9580-3d52-11ea-87ec-bcc2e12d89fc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210812%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210812T164030Z&X-Amz-Expires=300&X-Amz-Signature=cd155036a110276e88dfad8529a8a28c6e7059723487bb08bc877382457f97f5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=84575398&response-content-disposition=attachment%3B%20filename%3Dcni-plugins-linux-amd64-v0.8.5.tgz&response-content-type=application%2Foctet-stream'
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0*   Trying 146.112.56.22:443...
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0* Connected to github-releases.githubusercontent.com (146.112.56.22) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: cacerts.pem
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3208 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0
* Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

It seems that curl is complaining about 'github-releases.githubusercontent.com', even with a direct reference to the updated CA certs. Using curl on any other direct download or in a git clone from y repo on the same VM has no issues.

Your Environment

Intel i7 with 32GB RAM / 1TB SSD

Bash 5.1.4(1)-release

go version go1.16.5 linux/amd64

containerd -version
containerd github.com/containerd/containerd v1.5.4 69107e47a62e1d690afa2b9b1d43f8ece3ff4483

uname -a
Linux ubuntu 5.11.0-25-generic #27-Ubuntu SMP Fri Jul 9 23:06:29 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
NAME="Ubuntu"
VERSION="21.04 (Hirsute Hippo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 21.04"
VERSION_ID="21.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute

faasd version

faasd 0.13.13

alexellis commented 3 years ago

The download is working fine here. I'm going to close the issue and assume that it is something specific to your environment.

We advise new users to make use of multipass or a cloud VM on a developer cloud, these are known configurations and work as expected.