New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS downloads from certain sites fail with TLS cert errors #7667
Comments
|
@wak-github: This is the exact same article I already referenced in the report, as well as the more detailed discussion on Information Security Stack Exchange. |
|
Indeed it's an issue with system curl on macOS. I'm trying to figure out why though. There was an OpenSSL 1.0 bug, but as far as I know the version of LibreSSL that macOS uses should have that patch. I likely have missed something though. I believe the issue can be fixed serverside if the server is configured to not send expired intermediates (e.g. one of the Comodo intermediates which expired at the same time as the AddTrust root), but we'll probably need to think of something to workaround it from the client end. |
|
Server-side should help. Download PEMs from: For RedHat 7: |
|
According to Ryan Sleevi, setting |
|
@F30 if a working curl is all you need, you can use curl with--cacert parameter with the cacerts file from my previous post. |
|
Happy to discuss workarounds here but given this is a macOS |
The core LibreSSL bug has been filed here: libressl/portable#595 For anyone wondering if anything in homebrew-core is affected (as in the actual software - not the curl download): Homebrew does not use LibreSSL in any formula besides |
|
My thoughts copied from a comment on another thread that referenced this issue:
|
|
@0xdevalias we will review pull requests that check for this failure and provide better information. |
|
I have tried all the methods mentioned abave, but this issue still exist in Mac 10.15.6. Any one known how to fix it? |
|
@Eason0210 You're having problems with downloading from GitHub, which isn't related to this issue. Try the same command again, in case it was a transient issue. If you get the same error, there's probably a proxy in between you and GitHub that's not working correctly, and only you can find and resolve that. |
|
@gromgit Thanks for you advice. I use other command it works now. |
brew updateand can still reproduce the problem?brew doctor, fixed all issues and can still reproduce the problem?There is a (supposed) bug in macOS' built-in cURL, which is used by Homebrew. It makes downloads from certain HTTPS sites fail with this error messages:
The sites' certificate is actually not expired, and connections with browsers and other cURL builds work perfectly fine. Instead, macOS cURL considers two specific root CA certificates expired despite there being updated certificates using the same keys.
Please see the announcement from the CA and my analysis of the issue on Information Security StackExchange for details.
What you were trying to do (and why)
Since this is a
caskcommand, I first reported it to Homebrew-Cask as Homebrew/homebrew-cask#83481. However, @vitorgalvao replied that it should be reported here instead.That is somewhat warranted, since the issue is indeed broader and may quite likely also affect Formulae. However, I only specifically know of affected Casks at the moment.
What happened (include command output)
What you expected to happen
Successful (re-) installation.
Step-by-step reproduction instructions (by running
brewcommands)See above, but take into account that this is only an example of the problems caused by the issue.
The text was updated successfully, but these errors were encountered: