Skip to content
This repository has been archived by the owner on Mar 12, 2019. It is now read-only.

How do you get around self signed certs while updating? #298

Closed
h3adache opened this issue Mar 15, 2017 · 6 comments
Closed

How do you get around self signed certs while updating? #298

h3adache opened this issue Mar 15, 2017 · 6 comments
Assignees
@sjackman
Labels
question

Comments

@h3adache
Copy link

Running cd "$(brew --repo)" && git fetch && git reset --hard origin/master && brew update
Results in

fatal: unable to access 'https://github.com/Linuxbrew/brew/': SSL certificate problem: self signed certificate in certificate chain

I can't see any flags or issues regarding this so I'm not sure what a work around is
@sjackman sjackman self-assigned this Mar 15, 2017
@sjackman
Copy link
Member

sjackman commented Mar 15, 2017
edited

I haven't run into this issue myself. Try

brew install curl git

@h3adache
Copy link
Author

I'm not sure what your answer had to do with the issue. The problem is that I was trying to update brew while behind a corporate proxy/firewall (using websense). The cert is coming from websense intercepting traffic.

brew install curl git by default does not work
The curl problem is also documented in #275

You "solved" this by removing https for erlang but that doesn't work for libraries that aren't available through http (such as curl which is behind a https url)
Instead you must do echo insecure >> ~/.curlrc so that the -k option is not required.

brew install git works with the same trick as well.

brew update however does not work. I don't know why it still fails due the self signed cert. I haven't dug into what backend linux component/library is making the call that fails.

@sjackman
Copy link
Member

The problem is that I was trying to update brew while behind a corporate proxy/firewall (using websense). The cert is coming from websense intercepting traffic.

I was missing that key piece of information. I understand the problem now.

You "solved" this by removing https for erlang

That fix was specifically for erlang, whose SSL cert seems to be misconfigured, since it includes a self-signed cert in its chain, which curl rejects by default. I opened an issue upstream with openssl. They think it's a curl bug. openssl/openssl#2833

Instead you must do echo insecure >> ~/.curlrc so that the -k option is not required.

Thanks for this work around! That's very helpful.

brew update however does not work. I don't know why it still fails due the self signed cert. I haven't dug into what backend linux component/library is making the call that fails.

You'll have to configure git to use insecure https URLs, as you did for curl.

@h3adache
Copy link
Author

Thanks @sjackman! I can confirm that first doing git config --global http.sslVerify false does indeed allow me to brew update now.

@sjackman
Copy link
Member

sjackman commented Mar 16, 2017
edited

Thanks again for the workaround. That's very helpful to know.

@sjackman
Copy link
Member

To disable SSL verification

echo insecure >> ~/.curlrc
git config --global http.sslVerify false

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sjackman sjackman

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjackman @h3adache