Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SSL certificate errors
CKAN uses .NET/Mono's standard
WebClient for all downloads (with CURL as a fallback on some platforms). For HTTPS URLs,
WebClient needs to be able to verify a host's SSL certificate using trusted certificates on your local system. This is also what a browser does for the same URLs, and it's why you sometimes see a "security warning" about an expired certificate.
Modern operating systems have built-in certificate stores, but Mono also has its own certificate store, which may or may not be automatically synchronized with the system certificate store, which may or may not include certificates that trust all of the download hosts.
You may see the following errors when CKAN attempts to download a file if its host's certificate cannot be verified:
Oh no! Our download failed with a certificate error!
Error: TrustFailure (The authentication or decryption has failed.)
Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED)
Unhandled Exception: System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed.
Occasionally, these errors may happen because a download host is using an expired certificate. This has happened with SpaceDock a few times. If this is what's happening, then you should also see an error in your browser when visiting the download site. In these cases all you can do is wait for the host to fix the problem; typically it only takes a few days or less.
More often, these errors happen because your Mono certificate store is missing certificates. Fortunately, this is a problem that you can solve.
As of February 2018, TLS errors can also occur for any GitHub download, including operations internal to CKAN such as registry updates. This is because GitHub now requires TLS 1.2, and making .NET or Mono use TLS 1.2 can be a challenge.
To resolve these errors, Mono's certificate store must be updated to trust the affected download hosts, which entails adding the right certificates to your local Mono configuration. There are multiple tools available to do this, but any of them might work as long as the right certificates are added.
Install CKAN 1.24.0 or later
CKAN 1.24.0 includes changes specifically to enable TLS 1.2. No previous version of CKAN can access GitHub URLs anymore as of February 2018.
Make sure your Mono supports TLS 1.2
As of February 2018, your Mono installation must support TLS 1.2 to access GitHub URLs. Mono 5.0 is recommended for this.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF # Note "stable-xenial" -- set to your distro echo "deb http://download.mono-project.com/repo/debian stable-xenial main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list sudo apt-get update sudo apt-get dist-upgrade
Importing system certificates
cert-sync command was added in Mono 3.12.0 (release date: 13 Jan 2015). It imports certificates from your OS certificate store into the Mono SSL certificate store. This should happen automatically when installing Mono, but can also be done manually; see the Mono release note instructions for details on using
sudo apt install ca-certificates-mono sudo cert-sync /etc/ssl/certs/ca-certificates.crt
sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt cert-sync --user /etc/pki/tls/cert.pem
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
Importing Mozilla's certificates
mozroots command downloads and imports Mozilla's trusted root certificates into Mono. This variant of the command will prompt the user before removing any trusted certificate:
mozroots --import --ask-remove
If you get "Couldn't retrieve the file using the supplied information." as an error then try:
wget -q 'http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' -O "/tmp/certdata.txt" mozroots --import --ask-remove --file /tmp/certdata.txt