I have an issue installing mongodb via homebrew (new MacBook Pro, OS X 10.10.2, fresh installation). Apperantly, every other package that I try to install (for example wget) is throwing this errors, but the packages are correctly installed. Unfortunately, the installation of brew install mongodb fails with the following error:
==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/mongodb-2.6.7.yosemite.bottle.tar.gz
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Error: Failed to download resource "mongodb"
Download failed: https://downloads.sf.net/project/machomebrew/Bottles/mongodb-2.6.7.yosemite.bottle.tar.gz
Warning: Bottle installation failed: building from source.
==> Installing mongodb dependency: scons
==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/scons-2.3.4.yosemite.bottle.1.tar.gz
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Error: Failed to download resource "scons"
Download failed: https://downloads.sf.net/project/machomebrew/Bottles/scons-2.3.4.yosemite.bottle.1.tar.gz
Warning: Bottle installation failed: building from source.
==> Downloading https://downloads.sourceforge.net/scons/scons-2.3.4.tar.gz
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Error: Failed to download resource "scons"
Download failed: https://downloads.sourceforge.net/scons/scons-2.3.4.tar.gz
I also found this thread How to fix curl: (60) SSL certificate: Invalid certificate chain, where I added the certificate for downloads.sf.net and downloads.sourceforge.net (both use *.cloudfront.net as its certificate, and therefore, you get a domain missmatch) via Safari to "Always trust". After this, the installation fails with a SHA1 missmatch (and I also ran brew cleanup -s to cleanup the old cached packages):
==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/mongodb-2.6.7.yosemite.bottle.tar.gz
######################################################################## 100.0%
Error: SHA1 mismatch
Expected: 4b1749b645a744b38b4959daac46bf80353e3b32
Actual: a2fd3379ea944f6b2f97fb0f79b7b85cb3e14d0b
Archive: /Library/Caches/Homebrew/mongodb-2.6.7.yosemite.bottle.tar.gz
To retry an incomplete download, remove the file above.
Warning: Bottle installation failed: building from source.
==> Installing mongodb dependency: scons
==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/scons-2.3.4.yosemite.bottle.1.tar.gz
######################################################################## 100.0%
Error: SHA1 mismatch
Expected: 819d08b7e8c1ba2451db6d7d848f689b108b40aa
Actual: a2fd3379ea944f6b2f97fb0f79b7b85cb3e14d0b
Archive: /Library/Caches/Homebrew/scons-2.3.4.yosemite.bottle.1.tar.gz
To retry an incomplete download, remove the file above.
Warning: Bottle installation failed: building from source.
==> Downloading https://downloads.sourceforge.net/scons/scons-2.3.4.tar.gz
######################################################################## 100.0%
Error: SHA1 mismatch
Expected: 8c55f8c15221c1b3536a041d46056ddd7fa2d23a
Actual: a2fd3379ea944f6b2f97fb0f79b7b85cb3e14d0b
Archive: /Library/Caches/Homebrew/scons-2.3.4.tar.gz
To retry an incomplete download, remove the file above.
I also found this github issue https://github.com/Homebrew/homebrew/issues/28844, but I don't have any expired certificates in my keychain. Any help is appreciated!
I've just had the same issue. It appears to be temporary, as the SourceForge website is partially down.
The sourceforge.net website is temporarily in static offline mode.
Only a very limited set of project pages are available until the main website returns to service.
I imagine the issue will be resolved shortly and you will be able to retry in a couple of hours. There may be updates posted to https://twitter.com/sfnet_ops although there isn't currently any information on this particular outage.
Related
So we have a self-hosted version of Atlassian BitBucket running on Ubuntu server which holds the code repository. We use a SSL certificate from DigiCert . Every year we renew the certificate which has never caused issues. However this time most of the developers are getting the following error when pushing and pulling code from GIT after the certificate was renewed
fatal: unable to access : SSL certificate problem: unable to get local
issuer certificate
Another Error:
fatal: unable to access : Peer's Certificate issuer is not
recognized.
However, when we try to access the website using Chrome (or any other browser), it works fine and there is no error
All searches online point to this error when you're using a self-signed or internal PKI certificate. We are totally stumped on why a certificate issued by a public authority like DigiCert is getting this error.
Any help on this would be highly appreciated.
Ensure the root cert is added to git.exe's certificate store as discussed here.
Tell Git where to find the CA bundle by running:
git config --system http.sslCAPath /absolute/path/to/git/certificates
or copying the CA bundle to the /bin directory and adding the following to the gitconfig file:
sslCAinfo = /bin/curl-ca-bundle.crt
Reinstalling Git.
Ensuring that the complete CA is present, including the root cert.
Check www.atlassian.com more ssl errors for resolutions.
I am getting the below build error :
[ERROR] The svn blame command [svn blame --xml --non-interactive -x -w xxxxx.java] failed: svn: E230001: Unable to connect to a repository at URL 'xxx-xxxx.java'
svn: E230001: Server SSL certificate verification failed: certificate issued for a different hostname, issuer is not trusted
I am using Subversion Edge by Collabnet with jenkins to run the build. Could you please help me out?
Here is the wording of the error message:
svn: E230001: Server SSL certificate verification failed: certificate issued for a different hostname, issuer is not trusted
The error you are getting "Server SSL certificate verification failed: issuer is not trusted" means that there is a problem with the certificate installed on SVN Edge server. The client does not trust the certificate and displays the error. Therefore, you should look into the certificate-related problems on CollabNet Subversion Edge server.
The only possible way to ignore the error is to use --trust-server-cert command line option. You also have to add --non-interactive option because your CI machine runs the Subversion client non-interactively.
If you use Subversion 1.9 client, you can also use --trust-server-cert-failures option which is intended to ignore a wider range of invalid certificates than --trust-server-cert that can only ignore certificates issued by unknown or not trusted certificate authority.
When executing an openstack command, it is failing to verify a certificate that was signed by an internal CA.
CentOS 7
Root CA installed in /etc/pki/ca-trust/source/anchors
openstack 3.3.0
$ openstack server list
Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://XXXXX :13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
I hit the url from a browser and downloaded the certificate. Then ran openssl verify successfully.
$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.trust.crt 10.92.50.11.crt
10.92.50.11.crt: OK
Does the root CA need to be placed in another area for the command line to pick it up?
Explicitly pointing at the CA certificate by setting OS_CACERT did the trick. Other people in my environment didn't have to do this. I'm not sure why it was necessary, but that's what fixed my issue.
export OS_CACERT=/path/to/ca.crt
Reference: http://docs.openstack.org/user-guide/common/cli-set-environment-variables-using-openstack-rc.html
Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure".
How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side?
Here are the details of steps we took to renew and install the certificate:
We followed these instructions to generate a new private key and
CSR.
After uploading the CSR and downloading the CRT file on Namecheap, we ran heroku certs:update as described here.
These are the checks we made to verify successful installation of the new certificate:
Navigated to our site with Chrome, Safari, and Firefox and checked
the certificates. Everything looks right.
Ran heroku certs. The certificate looks good and it is shown as trusted.
Used the online checker here and here (as watery suggested in the comments). Everything is green.
Verified with Namecheap that the intermediates were setup correctly. They basically confirmed that the output of openssl s_client -showcerts -connect www.mysite.com:443 looks right.
A potential lead:
After running brew update openssl and rvm install 2.3.1 --disable-binary, the following was observed. Running Net::HTTP.get URI('https://www.google.com') works, while the same command with our URL fails with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
However, running Net::HTTP.get for our URL on a freshly installed linux Docker container
does not fail, so there may be additional environment factors.
Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated.
The issue was found as described in my other related question. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority. The new root was not whitelisted by Mailgun. I contacted support, and they are working to whitelist it.
I think this is related to SSL chaining issue. Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). You need to concat certificate in fixed order to fix this issue. I hope this helps you. For more you can test you website ssl in this https://www.ssllabs.com/ssltest/
I've recently obtained a PositiveSSL certificate at Namecheap and installed it on my server. Accessing the site from Firefox works fine, but accessing it from Ruby's net/https library doesn't work: it fails to verify the connection certificate even though I've specified the path to the certificate and I've checked that the file is readable. Curl also fails:
curl --cacert /path/to/cert https://mysite.com/
It simply says something like this:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
"certificate verify failed" isn't a terribly useful error message. How do I find out what exactly is wrong with my certificate and what to do about it? I find it confusing that it works in the browser but not anywhere else.
It looks like curl requires that the CA certificate file contains ALL certificates in the chain. I've downloaded all of them and combined them into a single file and now both Curl and Ruby are happy.