Julia 1.0.2 fails to check certificate on guixsd system

[fps]

Hi,

I'm bundling a quick and dirty hacked version of a package for julia 1.0.2 (using the binary release) for GuixSD and in the process I stumbled over this problem:

v1.0) pkg> update
 Resolving package versions...
   Cloning default registries into /home/fps/.julia/registries
   Cloning registry General from "https://github.com/JuliaRegistries/General.git"
ERROR: failed to clone from https://github.com/JuliaRegistries/General.git, error: GitError(Code:ECERTIFICATE, Class:SSL, the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA)

I dug around in the shipped libraries with a hex editor and found this:

000FFFA8   68 65 72 20  63 6F 75 6C  64 20 62 65  20 65 6E 61  62 6C 65 64  00 2F 65 74  63 2F 70 6B  her could be enabled./etc/pk
000FFFC4   69 2F 74 6C  73 2F 63 65  72 74 2E 70  65 6D 00 66  61 69 6C 65  64 20 74 6F  20 63 72 65  i/tls/cert.pem.failed to cre

prompting me to copy the shipped cert.pem to that location in /etc/pki/tls/cert.pem

Et voila! Julia works now! but that's a dirty hack and julia's libgit2 should use the shipped cert.pem really..

EDIT: The previous paragraph might be completely wrong. Maybe the issue is that the certificates installed in guixsd's /etc/ssl/certs are symlinks to a store item under /gnu/store/...../ca-certificate-bundle/... is a problem?

Thanks

[nalimilan]

Just to be sure, are you using the official binaries?

[fps]

Hi,
yes:

fps@guixsd15 ~/guix-packages$ sha256sum /gnu/store/7p52g50d0nsmvwydz8gqdkdfrjh0jvj8-julia-1.0.2-linux-x86_64.tar.gz
e0e93949753cc4ac46d5f27d7ae213488b3fef5f8e766794df0058e1b3d2f142  /gnu/store/7p52g50d0nsmvwydz8gqdkdfrjh0jvj8-julia-1.0.2-linux-x86_64.tar.gz

Note. The package definition is here: https://github.com/fps/guix-packages/blob/master/julia-hack.scm

[fps]

I should add: I'm not really sure that my opinionated title for this issue report is really accurate. SSL-certificate checks are a complex issue and there might be something else going wrong. I'll change the title to be less opinionated :)

[skariel]

I'm having the same issue. @fps which lib did you check the hex? copying to /etc/pki/tls doesn't help

[skariel]

I actually found this line in libgit. Anyway, not working. Also I'm behind a proxy

[fps]

Sorry, didn't see the comment earlier. Yes, libgit.

[ghost]

@fps It solved the problem for me too!

Could you please explain how you came to the conclusion that you had to "dug around in the shipped libraries with a hex editor" ? And how you did it ?

Many thanks !

$ find julia-1.1.1/ -type f -iname "*.pem"
julia-1.1.1/share/julia/cert.pem

$ sudo cp julia-1.1.1/share/julia/cert.pem /etc/pki/tls
./julia 
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.1.1 (2019-05-16)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

julia> import Pkg; Pkg.add("JSON")
   Cloning default registries into `~/.julia`
   Cloning registry from "https://github.com/JuliaRegistries/General.git"
     Added registry `General` to `~/.julia/registries/General`
 Resolving package versions...
 Installed JSON ─ v0.20.0
  Updating `~/.julia/environments/v1.1/Project.toml`
  [682c06a0] + JSON v0.20.0
  Updating `~/.julia/environments/v1.1/Manifest.toml`

[fps]

Hi @phfrohring, it's been quite a while since I looked at this so I don't remember it clearly anymore. I think I used maybe an strace on the julia binary which prompted me to see the /etc/pki/tls path? Or possibly I did a google search on the original error message and then just on a hunch searched through the binaries for possibly hardcoded paths.. Sorry if this is not helpful at all..

[fps]

Sooo, @phfrohring, what kind of system do you see the problem on? It seems it's not guix?

[ghost]

Ok thx !

yes it's guix !

These things directed me to your post and kind help from the Julia slack channel:

Linux f02c 4.15.0-52-generic #56-Ubuntu SMP Tue Jun 4 22:49:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Description:	Ubuntu 18.04.2 LTS

share/julia/stdlib/v1.1/LibGit2/src/LibGit2.jl
986:    # Look for OpenSSL env variable for CA bundle (linux only)
989:        cert_loc = if "SSL_CERT_DIR" in keys(ENV)
990:            ENV["SSL_CERT_DIR"]
991:        elseif "SSL_CERT_FILE" in keys(ENV)
992:            ENV["SSL_CERT_FILE"]
994:            # If we have a bundled ca cert file, point libgit2 at that so SSL connections work.
997:        set_ssl_cert_locations(cert_loc)
1001:function set_ssl_cert_locations(cert_loc)
1007:          Cint(Consts.SET_SSL_CERT_LOCATIONS), cert_file, cert_dir)

phf@f02c:bin$ echo $SSL_CERT_DIR 
/home/phf/.guix-profile/etc/ssl/certs
phf@f02c:bin$ echo $SSL_CERT_FILE 
/home/phf/.guix-profile/etc/ssl/certs/ca-certificates.crt

[ViralBShah]

Is this still an issue? @staticfloat can we close this, since we seem to have done a bunch of work on making sure certificates well over the last few months?

[fps]

I can try a newer build in a guix system. I'll try right now. Possibly I'll have to setup a new guix system to check. Should be a couple of hours max.

[fps]

Something's still weird:

fps@guix101 ~$ julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.1.1 (2019-05-16)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

(v1.1) pkg> add Flux
   Cloning default registries into `~/.julia`
   Cloning registry from "https://github.com/JuliaRegistries/General.git"
ERROR: failed to clone from https://github.com/JuliaRegistries/General.git, error: GitError(Code:ECERTIFICATE, Class:SSL, the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA)

https://github.com/fps/guix-packages/blob/master/julia-hack.scm

Note that guix now includes a "native" julia package, so this package has really lost all reason to exist. And I don't know enough about the used TLS packages to judge wether the problem with this patched up binary release of julia is with guix or with julia.

[fps]

And yep. Copying over cert.pem to /etc/pki/tls still fixes it..

[dgnorton]

I'm getting a cert error when following the install instructions for IJulia here: https://github.com/JuliaLang/IJulia.jl

System

❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.3 LTS

Julia

Downloaded and installed: https://julialang-s3.julialang.org/bin/linux/aarch64/1.2/julia-1.2.0-linux-aarch64.tar.gz

❯ julia --version
julia version 1.2.0

Repro and error output

GitHub gist with terminal output of error: https://gist.github.com/dgnorton/b667bca40409233014070178767a0d8c

[hailijuan]

2019-12-05 update:
export SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
The setting does help fix the error. Thank you.

---

I am running into the same error too. Unluckily, the error is still there after I copied usr/share/julia/cert.pem to /etc/pki/tls and to /etc/ssl/cert.pem and to append /etc/ssl/certs/ca-certificates.crt.

I also tried these environments:

$ export|grep SSL
declare -x SSL_CERT_DIR="/etc/ssl/certs"
declare -x SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"

Thanks.

[KunBrother100]

@fps I encountered the same problem as you in version 1.3.0, how did you solve it