rustup icon indicating copy to clipboard operation
rustup copied to clipboard
verified publisher icon rust-lang

Unable to download files, certificate verify failed

Open nightlark opened this issue 6 years ago • 23 comments

Problem Rustup has no option to disable certificate checking. The place I work at has networking hardware in place that basically breaks SSL. I've tried adding --no-check-certificate and --insecure to the curl/wget commands in the "easy" rustup-init.sh script, but then the rustup command fails due to the same SSL certificate validation errors. A no-nonsense get.

Steps

  1. Find a company that intercepts SSL connections.
  2. Try rustup-init.sh with curl and wget commands modified to not check executable. Fail because rustup checks the certificate.
  3. Try installing using apt-get rustc. Fail because rustup needs to get run (eg rustup install stable) to install a toolchain, and there is no way to bypass the SSL certificate check.

Possible Solution(s) Add a command line argument that bypasses the SSL certificate check. I've seen the other issues saying to add certificates to the ca cert folder, but there is no certificate available to add to the cert store.

Notes Adding a command line argument to disable checking certificates is the simplest solution for a user in a restrictive corporate network that just wants a way to get a functional install of rust. It should not be as painful as it currently is; this is a useability bug, that makes for a very bad user experience when your computer is on a corporate network.

nightlark avatar May 16 '19 19:05 nightlark

Okay, I stumbled upon an environment variable, RUSTUP_USE_CURL, that appears to not do the SSL certificate checking. It would've been much nicer if a reliable workaround for corporate environments were mentioned somewhere on the install page for rust.

nightlark avatar May 16 '19 19:05 nightlark

We have been around on this topic before. Currently we have no intention to add to rustup a way to ignore certificates.

That RUSTUP_USE_CURL=1 helped you suggests that your system has appropriate certificates installed onto it, and that our reqwest based backend is not managing to find them. It is certainly not a workaround to disable certificate checking and if it currently does ignore bad certificates then that is a bug which needs to be fixed.

Do you have problems with your browser every time you visit an https webpage, or does your computer have a stored CA certificate for your company's MITM device?

kinnison avatar May 17 '19 07:05 kinnison

It causes problems on enough websites using https that it’s the first thing to blame when I see an error with ssl certificates, though other https webpages work.

Mentioning in a FAQ on the installation page the curl backend as a workaround if there are certificate errors using the default reqwest backend would’ve been nice. If it’s because it does a better job finding certificates, then as a user I don’t care that I’m using a backend that is deprecated — I just want some quick troubleshooting options to try with the installer so that I can get a working install of rust.

I was kind of surprised that installing with apt also required fetching a toolchain (ssl cert issues too) to get a working copy of the rust installer — I was hoping the apt package would be an easy alternative (basically the same as the offline installer, but with apt for updates).

nightlark avatar May 17 '19 08:05 nightlark

See, I wouldn't want to mention that in the readme explicitly because we're hoping to remove the cURL backend over time, so encouraging people to use it would be counterproductive. What we need to do is determine where the certificates are being stored and thusly why reqwest isn't finding them.

Regarding the use of apt you can install rustc and cargo via apt install rustc cargo and then just use them; but anything expecting to be able to interact with rustup (e.g. vscode-rls) will fail, as will anything expecting the rust-toolchain file to work.

kinnison avatar May 18 '19 14:05 kinnison

The version of cargo and rustc you get via apt will be up to your distribution, not us.

kinnison avatar May 18 '19 14:05 kinnison

Actually, it looks like I might have been wrong about RUSTUP_USE_CURL=1 working; I noticed today that running rustc is still giving the no default toolchain configured error, and running rustup install stable or rustup default stable give errors regarding verifying the SSL certificate (with both the reqwest and curl backends) due to it being "self-signed".

The copy of rustc I'm using was installed with apt install rustc cargo -- even trying to print help/version gives the toolchain error; is there some setup command that is needed to tell rustc to ignore the lack of a default toolchain? The top search results all say to use rustup, which isn't working due to the certificate issues (I found a list of certs at work and installed all of them -- none of them seem to be the one used by the MITM device).

nightlark avatar May 21 '19 03:05 nightlark

So it sounds like you're expecting /usr/bin to be in your PATH before wherever rustup is (probably ~/.cargo/bin) but in reality the latter is first, so when you run rustc it's picking up rustup's proxy.

Either uninstall rustup (rustup self uninstall) move the PATH around, or you can add your system-installed toolchain for now rustup toolchain link system /usr && rustup toolchain default system and see if that lets you progress.

Regarding the insecure-SSL stuff, we have another issue where we're thinking about this (#1542 and the associated PR #1624) but we're not inclined to support breaking the SSL security constraints unless Cargo opts to do so first.

kinnison avatar May 21 '19 11:05 kinnison

I had the same issue today. Adding Zscaler Root CA cert (used by rust sites) solved the issue.

Bharath-KKB avatar Jul 10 '21 15:07 Bharath-KKB

@Bharath-KKB Hey, can you explain what all you did?

Aashay221999 avatar Mar 22 '22 10:03 Aashay221999

@Bharath-KKB Hey, can you explain what all you did?

The exact steps depend on the OS you are using so follow the instructions for your OS. Basically what you need to do is save the Zscaler Root CA cert (from say your browser on windows) and add it to your truststore. For eg. to add on ubuntu/debian systems: Copy your CA to dir /usr/local/share/ca-certificates/ Use command: sudo cp zscalerroot.crt /usr/local/share/ca-certificates/zscalerroot.crt Update the CA store: sudo update-ca-certificates

I have not done these for a few months (I only do these when I need to upgrade software). But you need to look out if the intermediate CA certs are valid.. Usually the root CA cert is valid for longer periods(few years typically) but the intermediate certs issuing these certs for me are valid for 2 or 3 weeks . Somehow the cert chains don't work so had to import these regularly.

Bharath-KKB avatar Mar 22 '22 11:03 Bharath-KKB

I really struggled with actually getting the certificate. My advise for figuring this out is to to go to an https://google.com on your corp network on chrome and click the little lock next to the URL. Click the "connection is secure" tab -> "certificate is valid" -> details. The top certificate is your companies self-signed certificate chrome will export it correctly (I tried for hours with openssl to extract this certificate but failed.) Verify for the Certificate manually. Than export the highest most certificate.

Now I was using ubuntu WSL so you can do the following assuming you cert is call company_cert.cer

openssl x509 -in company_cert.cer -inform der -text -out company_cert.crt  ; this is text verification
# sudo cp company_cert.crt /users/local/shared/ca-certificates/
# sudo update-ca-certificates

After that rustup should work. This Is mostly a SSL problem not a rustup problem but the information on actually find the cert and than also installing it via ca-certs is not in one place. If someone knows how to extract the certificate via openssl that would be a better fix because I assume you have chrome

lquinn2015 avatar Oct 10 '22 17:10 lquinn2015