v8: can't clone gyp.git (with brewed curl --with-openssl or --with-libressl)

[dunn]

The following happens when git is built --with-brewed-curl, and when curl is build either --with-openssl or --with-libressl:

==> Reinstalling v8
==> Downloading https://github.com/v8/v8-git-mirror/archive/4.1.0.27.tar.gz
Already downloaded: /Library/Caches/Homebrew/v8-4.1.0.27.tar.gz
==> Verifying v8-4.1.0.27.tar.gz checksum
tar xf /Library/Caches/Homebrew/v8-4.1.0.27.tar.gz
==> Cloning https://chromium.googlesource.com/external/gyp.git
git clone https://chromium.googlesource.com/external/gyp.git /Library/Caches/Homebrew/v8--gyp--git
Cloning into '/Library/Caches/Homebrew/v8--gyp--git'...
fatal: unable to access 'https://chromium.googlesource.com/external/gyp.git/': SSL certificate problem: unable to get local issuer certificate
Error: Failed to download resource "v8--gyp"
Failure while executing: git clone https://chromium.googlesource.com/external/gyp.git /Library/Caches/Homebrew/v8--gyp--git

Oddly, brewed git with brewed openssl, but without brewed curl, works fine.

HOMEBREW_VERSION: 0.9.5
ORIGIN: https://github.com/Homebrew/homebrew.git
HEAD: 9032f165bec3d0c7452169093fab32578816043b
Last commit: 6 hours ago
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CELLAR: /usr/local/Cellar
CPU: quad-core 64-bit haswell
OS X: 10.10.3-x86_64
Xcode: 6.3.1
CLT: 6.3.1.0.1.1429149539
Clang: 6.1 build 602
X11: 2.7.7 => /opt/X11
System Ruby: 2.0.0-p481
Perl: /usr/bin/perl
Python: /usr/local/bin/python => /usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/bin/python2.7
Ruby: /usr/local/bin/ruby => /usr/local/Cellar/ruby/2.2.2/bin/ruby
Java: 1.8.0_20

Is this related to the recent certificate mess? If it's going to be fixed by #38897 then go ahead and close this.

[DomT4]

Aye. Do a brew reinstall openssl to fix it. #38897 will apply new patches, but there's an existing one in place that will fix the issue for you. One way or another, OpenSSL is likely to get itself revisioned in the near future which will flush these issues from the ecosystem.

[DomT4]

Actually, you should be able to just do brew postinstall openssl thinking about it.

[dunn]

Still doesn't work 😱

• brew reinstall openssl
• brew reinstall -v curl --with-openssl --with-libidn --with-libssh2
• brew reinstall -v git --with-brewed-openssl --with-pcre --with-persistent-https --with-brewed-svn --with-brewed-curl

No dice.

[DomT4]

I presume your Homebrew is up-to-date?

You shouldn't need to reinstall curl or git. What does ls -l brew --prefix/etc/openssl and ls -l brew --prefix/etc/openssl/certs say?

[dunn]

Yeah, I did brew postinstall openssl and it installed the cert.

🐙  ls -l `brew --prefix`/etc/openssl
total 696
-rw-r--r--  1 cat  admin  329021 Apr 26 18:21 cert.pem
drwxr-xr-x  4 cat  admin     136 Apr 26 18:21 certs
drwxr-xr-x  9 cat  admin     306 Oct 16  2014 misc
-rw-r--r--  1 cat  admin   10835 Jan 16 10:27 openssl.cnf
-rw-r--r--  1 cat  admin   10835 Apr 26 18:21 openssl.cnf.default
drwxr-xr-x  2 cat  admin      68 Mar 19 11:34 private

🐙  ls -l `brew --prefix`/etc/openssl/certs
total 16
lrwxr-xr-x  1 cat  admin    40 Apr 26 18:21 578d5c04.0 -> Equifax_Secure_Certificate_Authority.pem
-rw-r--r--  1 cat  wheel  1160 Apr 26 18:21 Equifax_Secure_Certificate_Authority.pem

[DomT4]

But still problems? Can you try brew test --verbose wget? That hits a Google domain. Curious to see what happens.

[dunn]

Seems to work fine (gist if you're interested).

¯(°_o)/¯

[DomT4]

Ah, hoops. cURL has broken again for some reason, both under the existing cert fix and the patches. Let me dig into this again a bit.

[DomT4]

Hmm. I can't actually reproduce here with the patches in #38897 adopted. I forgot (because I'm an idiot) in the above message I'd built cURL against LibreSSL which currently isn't patched. I can't reproduce this using pretty much identical build options and variables to you.

I'll try reverting the patching locally and installing with the current added cert method.

[DomT4]

Bingo. I can reproduce this using the current Equifax cert fix we have in place. In which case, #38897 will fix the issue.

[dunn]

Awesome, thanks for investigating. I'll close this when that's merged.

[DomT4]

Just double checked. The x509 patch PR definitely fixes things on this, phew 🎉. This cert problem really crawled its way into every available point of breakage, sigh.

[DomT4]

@dunn No further problems? :)

[dunn]

Nope, works fine now!

[DomT4]

Great! Thanks for confirming!