SSL certificate errors

Paul Krizak edited this page Jun 24, 2018 · 5 revisions

Background

CKAN uses .NET/Mono's standard WebClient for all downloads (with CURL as a fallback on some platforms). For HTTPS URLs, WebClient needs to be able to verify a host's SSL certificate using trusted certificates on your local system. This is also what a browser does for the same URLs, and it's why you sometimes see a "security warning" about an expired certificate.

Modern operating systems have built-in certificate stores, but Mono also has its own certificate store, which may or may not be automatically synchronized with the system certificate store, which may or may not include certificates that trust all of the download hosts.

Problems

You may see the following errors when CKAN attempts to download a file if its host's certificate cannot be verified:

Oh no! Our download failed with a certificate error!
Error: TrustFailure (The authentication or decryption has failed.)
Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED)
Unhandled Exception:
System.Net.WebException: Error: SendFailure (Error writing headers) --->
    System.Net.WebException: Error writing headers --->
    System.IO.IOException: The authentication or decryption has failed.

Causes

Occasionally, these errors may happen because a download host is using an expired certificate. This has happened with SpaceDock a few times. If this is what's happening, then you should also see an error in your browser when visiting the download site. In these cases all you can do is wait for the host to fix the problem; typically it only takes a few days or less.

More often, these errors happen because your Mono certificate store is missing certificates. Fortunately, this is a problem that you can solve.

As of February 2018, TLS errors can also occur for any GitHub download, including operations internal to CKAN such as registry updates. This is because GitHub now requires TLS 1.2, and making .NET or Mono use TLS 1.2 can be a challenge.

Solutions

To resolve these errors, Mono's certificate store must be updated to trust the affected download hosts, which entails adding the right certificates to your local Mono configuration. There are multiple tools available to do this, but any of them might work as long as the right certificates are added.

Install CKAN 1.24.0 or later

CKAN 1.24.0 includes changes specifically to enable TLS 1.2. No previous version of CKAN can access GitHub URLs anymore as of February 2018.

Make sure your Mono supports TLS 1.2

As of February 2018, your Mono installation must support TLS 1.2 to access GitHub URLs. Mono 5.0 is recommended for this.

Ubuntu:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
# Note "stable-xenial" -- set to your distro
echo "deb http://download.mono-project.com/repo/debian stable-xenial main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
sudo apt-get update
sudo apt-get dist-upgrade

Importing system certificates

The cert-sync command was added in Mono 3.12.0 (release date: 13 Jan 2015). It imports certificates from your OS certificate store into the Mono SSL certificate store. This should happen automatically when installing Mono, but can also be done manually; see the Mono release note instructions for details on using cert-sync.

Debian/Ubuntu:

sudo apt install ca-certificates-mono
sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Fedora:

sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt
cert-sync --user /etc/pki/tls/cert.pem

Arch:

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Importing Mozilla's certificates

The older mozroots command downloads and imports Mozilla's trusted root certificates into Mono. This variant of the command will prompt the user before removing any trusted certificate:

mozroots --import --ask-remove

If you get "Couldn't retrieve the file using the supplied information." as an error then try:

wget -q 'http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' -O "/tmp/certdata.txt"
mozroots --import --ask-remove --file /tmp/certdata.txt
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.