The SSL certificate is invalid on sparc64 when cargo is fetching the index

nagisa commented 5 years ago

Problem

It appears that there might be some bug in how cargo does its certificate validation on sparc64. It possibly may extend to other big-endian systems as well, but I haven’t been able to verify it (on both mips64 and ppc64 things I have access to the glibc is too old for rustup).

$ cargo update
    Updating crates.io index
error: failed to load source for a dependency on `cc`                                                                                                                                                                                          

Caused by:
  Unable to update registry `https://github.com/rust-lang/crates.io-index`

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA; class=Ssl (16); code=Certificate (-17)
$ git clone https://github.com/rust-lang/crates.io-index
Cloning into 'crates.io-index'...
remote: Enumerating objects: 247, done.
remote: Counting objects: 100% (247/247), done.
remote: Compressing objects: 100% (233/233), done.
remote: Total 627507 (delta 123), reused 124 (delta 0), pack-reused 627260
Receiving objects: 100% (627507/627507), 128.29 MiB | 7.89 MiB/s, done.
Resolving deltas: 100% (412075/412075), done.
Checking out files: 100% (21150/21150), done.
$ curl 'https://crates.io/'
{"errors":[{"detail":"Not Found"}]}

Steps

On a SPARC64-based machine update the cargo index (by trying to build a rust library for the first time)

Possible Solution(s)

Figure out and fix the SSL issues;
Provide some way to disable certificate checking temporarily;
Make it easy to check-out the index manually...

Notes

$ cargo version
cargo 1.30.0
$ uname -a
Linux gcc202 4.19.0-rc7-sparc64-smp #1 SMP Debian 4.19~rc7-1~exp1 (2018-10-07) sparc64 GNU/Linux
$ ldd $(which cargo)
    linux-vdso.so.1 (0xfff800010002e000)
    libgit2.so.27 => /usr/lib/sparc64-linux-gnu/libgit2.so.27 (0xfff8000100c18000)
    libssh2.so.1 => /usr/lib/sparc64-linux-gnu/libssh2.so.1 (0xfff8000100dec000)
    libcurl-gnutls.so.4 => /usr/lib/sparc64-linux-gnu/libcurl-gnutls.so.4 (0xfff8000100f18000)
    libssl.so.1.1 => /usr/lib/sparc64-linux-gnu/libssl.so.1.1 (0xfff8000101098000)
    libcrypto.so.1.1 => /usr/lib/sparc64-linux-gnu/libcrypto.so.1.1 (0xfff8000101224000)
    libz.so.1 => /lib/sparc64-linux-gnu/libz.so.1 (0xfff80001015b8000)
    libdl.so.2 => /lib/sparc64-linux-gnu/libdl.so.2 (0xfff80001016d8000)
    librt.so.1 => /lib/sparc64-linux-gnu/librt.so.1 (0xfff80001017e0000)
    libpthread.so.0 => /lib/sparc64-linux-gnu/libpthread.so.0 (0xfff80001018ec000)
    libgcc_s.so.1 => /lib/sparc64-linux-gnu/libgcc_s.so.1 (0xfff8000101a0c000)
    libc.so.6 => /lib/sparc64-linux-gnu/libc.so.6 (0xfff8000101b20000)
    /lib64/ld-linux.so.2 (0xfff8000100000000)
    libm.so.6 => /lib/sparc64-linux-gnu/libm.so.6 (0xfff8000101d8c000)
    libmbedtls.so.12 => /usr/lib/sparc64-linux-gnu/libmbedtls.so.12 (0xfff8000101f70000)
    libmbedx509.so.0 => /usr/lib/sparc64-linux-gnu/libmbedx509.so.0 (0xfff800010209c000)
    libmbedcrypto.so.3 => /usr/lib/sparc64-linux-gnu/libmbedcrypto.so.3 (0xfff80001021b0000)
    libhttp_parser.so.2.8 => /usr/lib/sparc64-linux-gnu/libhttp_parser.so.2.8 (0xfff8000102310000)
    libgssapi_krb5.so.2 => /usr/lib/sparc64-linux-gnu/libgssapi_krb5.so.2 (0xfff800010241c000)
    libkrb5.so.3 => /usr/lib/sparc64-linux-gnu/libkrb5.so.3 (0xfff8000102560000)
    libk5crypto.so.3 => /usr/lib/sparc64-linux-gnu/libk5crypto.so.3 (0xfff800010272c000)
    libcom_err.so.2 => /lib/sparc64-linux-gnu/libcom_err.so.2 (0xfff8000102860000)
    libgcrypt.so.20 => /lib/sparc64-linux-gnu/libgcrypt.so.20 (0xfff8000102968000)
    libnghttp2.so.14 => /usr/lib/sparc64-linux-gnu/libnghttp2.so.14 (0xfff8000102b2c000)
    libidn2.so.0 => /usr/lib/sparc64-linux-gnu/libidn2.so.0 (0xfff8000102c50000)
    librtmp.so.1 => /usr/lib/sparc64-linux-gnu/librtmp.so.1 (0xfff8000102d70000)
    libpsl.so.5 => /usr/lib/sparc64-linux-gnu/libpsl.so.5 (0xfff8000102e8c000)
    libnettle.so.6 => /usr/lib/sparc64-linux-gnu/libnettle.so.6 (0xfff8000102fa0000)
    libgnutls.so.30 => /usr/lib/sparc64-linux-gnu/libgnutls.so.30 (0xfff80001030dc000)
    libldap_r-2.4.so.2 => /usr/lib/sparc64-linux-gnu/libldap_r-2.4.so.2 (0xfff8000103330000)
    liblber-2.4.so.2 => /usr/lib/sparc64-linux-gnu/liblber-2.4.so.2 (0xfff8000103480000)
    libmbedcrypto.so.1 => /usr/lib/sparc64-linux-gnu/libmbedcrypto.so.1 (0xfff8000103590000)
    libkrb5support.so.0 => /usr/lib/sparc64-linux-gnu/libkrb5support.so.0 (0xfff80001036f0000)
    libkeyutils.so.1 => /lib/sparc64-linux-gnu/libkeyutils.so.1 (0xfff80001037fc000)
    libresolv.so.2 => /lib/sparc64-linux-gnu/libresolv.so.2 (0xfff8000103904000)
    libgpg-error.so.0 => /lib/sparc64-linux-gnu/libgpg-error.so.0 (0xfff8000103a1c000)
    libunistring.so.2 => /usr/lib/sparc64-linux-gnu/libunistring.so.2 (0xfff8000103b3c000)
    libhogweed.so.4 => /usr/lib/sparc64-linux-gnu/libhogweed.so.4 (0xfff8000103dbc000)
    libgmp.so.10 => /usr/lib/sparc64-linux-gnu/libgmp.so.10 (0xfff8000103ef0000)
    libp11-kit.so.0 => /usr/lib/sparc64-linux-gnu/libp11-kit.so.0 (0xfff8000104068000)
    libtasn1.so.6 => /usr/lib/sparc64-linux-gnu/libtasn1.so.6 (0xfff8000104284000)
    libsasl2.so.2 => /usr/lib/sparc64-linux-gnu/libsasl2.so.2 (0xfff8000104398000)
    libffi.so.6 => /usr/lib/sparc64-linux-gnu/libffi.so.6 (0xfff80001044b4000)

nagisa commented 5 years ago

Once I cloned the index manually

git clone https://github.com/rust-lang/crates.io-index ~/.cargo/registry/index/github.com-eae4ba8cbf2ce1c7

it now works well.

glaubitz commented 5 years ago

@nagisa I can work around this problem by building cargo from source. For me, it affects only Debian's cargo package. Once I built cargo from source and placed it into my path, the problem goes away.

CC @jrtc27

glaubitz commented 5 years ago

I made an interesting observation, the problem does not show up when running cargo as root.

It also does not show when switching to my user from root without a login shell:

root@gcc202:~# su glaubitz  
glaubitz@gcc202:/root$ cd
glaubitz@gcc202:~$ cd rust
glaubitz@gcc202:~/rust$ ./x.py build 
Updating only changed submodules
Submodules updated in 0.06 seconds
    Updating crates.io index
^C
Build completed unsuccessfully in 0:00:02
glaubitz@gcc202:~/rust$ exit
root@gcc202:~# su - glaubitz
glaubitz@gcc202:~$ cd rust
glaubitz@gcc202:~/rust$ ./x.py build
Updating only changed submodules
Submodules updated in 0.06 seconds
    Updating crates.io index
error: failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA; class=Ssl (16); code=Certificate (-17)
failed to run: /usr/bin/cargo build --manifest-path /home/glaubitz/rust/src/bootstrap/Cargo.toml
Build completed unsuccessfully in 0:00:00
glaubitz@gcc202:~/rust$ logout
root@gcc202:~#

And, on top of that, it doesn't show on a second Linux/sparc64 porterbox. Could be a configuration after all.

rust-lang / cargo

The SSL certificate is invalid on sparc64 when cargo is fetching the index #6471