pkgx icon indicating copy to clipboard operation
pkgx copied to clipboard
verified publisher icon pkgxdev

invalid peer certificate: UnknownIssuer

Open drpdishant opened this issue 3 years ago • 12 comments

Just installed tea and facing this error while I try to install any package

tea +openssl.org
error: http (spilt-tea-404)
error sending request for url (https://dist.tea.xyz/openssl.org/darwin/aarch64/versions.txt): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

sh <(curl tea.xyz) +nodejs.org
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8739  100  8739    0     0  14750      0 --:--:-- --:--:-- --:--:-- 14938
error: http (spilt-tea-404)
error sending request for url (https://dist.tea.xyz/unicode.org/darwin/aarch64/versions.txt): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

seems like its not able to validate server certificate against a root certificate from the trust store. How can I disable ssl check?

drpdishant avatar Nov 09 '22 20:11 drpdishant

wow. @jhheider ideas?

mxcl avatar Nov 09 '22 21:11 mxcl

so, deno controls this, LMK check their GitHub.

mxcl avatar Nov 09 '22 21:11 mxcl

  • https://github.com/denoland/deno/issues/11482
  • https://github.com/denoland/deno/pull/6370 (DENO_CERT variable)

mxcl avatar Nov 09 '22 21:11 mxcl

This is interesting. @drpdishant , what OS/platform/distro are you running this under? Interestingly, if I load debian:buster-slim in Docker, and apt remove ca-certificates, I break curl, but not tea. Which makes me think, somewhere in the Deno guts, it's falling back to some well-known paths looking for ca certs, and possibly finding out of date ones.

That said, it doesn't really explain why you can curl tea.xyz. Can you curl dist.tea.xyz? If I can recreate this, it should be possible to strace the run and see what it's trying to execute.

jhheider avatar Nov 09 '22 21:11 jhheider

https://dist.tea.xyz/openssl.org/darwin/aarch64/versions.txt

@jhheider which is mysterious right? How can certs on macOS be broken.

mxcl avatar Nov 09 '22 22:11 mxcl

Oh, yeah. Deeply mysterious. Unless it's extremely out of date. I know the CAs do have big changes periodically. I feel like AWS had one in the last 12 months, maybe.

jhheider avatar Nov 09 '22 22:11 jhheider

@mxcl @jhheider dist.tea.xyz is accessible in browser but it serves with a different certificate than the actual, probably because all the connection from my machine go through a corporate proxy. I do face this issue when running npm install, and it works after setting env NODE_TLS_REJECT_UNAUTHORIZED to 0.

image image

Definitely it isn't an issue with macOS or ca-certs or even tea cli, skipping the check will work.

drpdishant avatar Nov 10 '22 04:11 drpdishant

Ahhhhh, yes, a proxy performing the SSL check on your behalf and serving using its certificate would definitely cause that. Hm. Will have to see what options Deno offers for accepting insecure connections.

jhheider avatar Nov 10 '22 04:11 jhheider

@jhheider If this helps, https://github.com/denoland/deno/pull/11324

drpdishant avatar Nov 10 '22 04:11 drpdishant

@jhheider I am able to figure out a workaround using env DENO_CERT, downloaded the ca cert and provided in the env value. it works.

DENO_CERT=dist-tea-xyz.pem tea +openssl.org

drpdishant avatar Nov 10 '22 04:11 drpdishant

Certainly one workaround. We'll noodle something more user friendly. You won't be the last one behind a corporate proxy.

jhheider avatar Nov 10 '22 04:11 jhheider

One way brew avoided this sort of thing is using curl to do the downloads. Since generally, curl has been configured to work for the user.

mxcl avatar Nov 10 '22 14:11 mxcl

We haven't seen this in a long time, closing as assumed deno is responsible and is fixed.

mxcl avatar Jun 07 '23 18:06 mxcl