Expired SSL for https://rvm.io

[smaboshe]

Hello!

I'm getting errors today trying to update RVM:

$ rvm get head
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
RVM reloaded!

I get the same with rvm get stable.

On visiting https://rvm.io in Chrome, I get an SSL Error page with:

The site's security certificate has expired!
You attempted to reach rvm.io, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiration. This means Google Chrome cannot guarantee that you are communicating with rvm.io and not an attacker. Your computer's clock is currently set to Friday, March 15, 2013 10:16:13 AM. Does that look right? If not, you should correct the error and refresh this page.
You should not proceed, especially if you have never seen this warning before for this site.

Is this accurate? Earlier, I was getting warnings from cURL about this potentially being a man in the middle attack so I'd really like to make sure.

[envygeeks]

This is a known issue and we are working hard to fix it. Even though it's not an issue since it's being worked on I'm going to leave the ticket open so that other people will not file redundant tickets. Thanks :)

[deiga]

how can we circumvent this until it is fixed?

[jimothyGator]

@deiga: curl -Lk https://get.rvm.io | bash -s stable --ruby

The -k option tells curl to ignore certificate problems.

The paranoid would be concerned about man-in-the-middle attacks.

[jimcavoli]

@jimothyGator that won't solve issues with https://get.rvm.io being hit by existing installs for new rubies, updates, etc. however, since they don't add tack k

[jimcavoli]

@deiga You could set your system clock to before their certificate expired, which was March 14th at 19:59:59 Eastern. That'll shut up openssl temporarily, then you can come back to the future.

[jimothyGator]

@jimcavoli : Yes, I just realized that doesn't go far enough. echo insecure >> ~/.curlrc may work (I'm running it now; so far, so good). Of course, that means this change will be global for curl, so be careful.

Your suggestion of setting the system clock back may be better.

UPDATE: This seems to work. I'm going to delete ~/.curlrc until I need to update or install a new ruby. Hopefully, the certificate issue will be worked out by then.

[mpapis]

please do not use insecure ... it is not secure, we are working on the certs fix - till then use this for updating RVM:

 \curl -L https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | 
  bash -s head # or stable or <version>

[redjohn]

@mpapis thanks

[dahakawang]

@jimothyGator you can add --insecure option to the curl
in scripts/fetch line24 i temporarily add it:

fetch_command="curl ${rvm_proxy:+-x}${rvm_proxy:-} -f -L **--insecure** --create-dirs -C - -o ${archive}"

i installed ruby2.0.0 by doing that hack..

[mpapis]

@dahakawang as mentioned in comment #1684 (comment) - insecure is not secure you should not use it!

[mpapis]

fixed, extra bonus rvm/rvm-site#153

[dahakawang]

@mpapis thanks for your hard work, and now im happy i dont need that hack way 👍 :-D

[scaryguy]

How am I supposed to install this updated version since I'm unable to use 'rvm get stable' command?

My problem is not being able to connect to update server which now has solution of not connecting issue?

I'm confused.

[mpapis]

@scaryguy try:

\curl -L https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | 
  bash -s stable

[scaryguy]

@mpapis I've already tried that. But no way... See the result:

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (77) error setting certificate verify locations: CAfile: /usr/local/opt/curl-ca-bundleshare/ca-bundle.crt CApath: none

[mpapis]

@scaryguy so:

$ man curl | grep 77
       77     Problem with reading the SSL CA cert (path? access rights?).

make sure the path /usr/local/opt/curl-ca-bundleshare/ca-bundle.crt exists and is readable for your user:

[[ -r  /usr/local/opt/curl-ca-bundleshare/ca-bundle.crt ]] && echo OK || echo Problem

it's your local problem not RVM related.

[scaryguy]

@mpapis ;

You're partially right. But it was related to RVM and I'm at the this point right now while I was trying to fix it..

I've tried everything here, and I guess now this causes CApath to look empty right now. I'm able to update brew for example, I can connect to Ruby Gems during bundle install.

But why I can't update RVM? Isn't this question related to RVM?

[mpapis]

RVM is a shell script and dose not have any build in certificates handling, we only rely on curl to handle this and it should be part of your operating system to update certificates for you. If your system can not / does not update certificates then you should consider changing it to something better (maybe @cwgem could propose something better and more secure).

So as the problem appears while you try install RVM it's a problem with your system - and every system is different, consult with your system manual about updating or contact system support to get more help.

[envygeeks]

What operating system are you on?

[scaryguy]

@mpapis I just thought that my issue could give you an idea about a 'possible trouble' . If it didn't, sorry.

@envygeeks I'm on MacOSX Mountain Lion.

I had installed RVM via installer and now I have several rubies and gemsets. If I uninstall it what happens to my rubies and gemsets? I can try reinstalling it if rubies and gemsets will be safe.

[mpapis]

@scaryguy curl can be compiled with OS X support http://curl.haxx.se/docs/sslcerts.html :

 Peer SSL Certificate Verification with Schannel and Secure Transport
====================================================================

If libcurl was built with Schannel (Microsoft's TLS/SSL engine) or Secure
Transport (Apple's TLS/SSL engine) support, then libcurl will still perform
peer certificate verification, but instead of using a CA cert bundle, it will
use the certificates that are built into the OS. These are the same
certificates that appear in the Internet Options control panel (under Windows)
or Keychain Access application (under OS X). Any custom security rules for
certificates will be honored.

make sure you use proper version of curl and update your system often.

[1z2x3c4v5b6n7m8]

Hello!

I'm getting errors today trying to update RVM:

$ rvm get head
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
RVM reloaded!

I get the same with rvm get stable.

On visiting https://rvm.io in Chrome, I get an SSL Error page with:

The site's security certificate has expired!
You attempted to reach rvm.io, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiration. This means - - # [ ] Google Chrome ca~~@[]()_****_~~nnot guarantee that you are communicating with rvm.io and not an attacker. Your computer's clock is currently set to Friday, March 15, 2013 10:16:13 AM. Does that look right? If not, you should correct the error and refresh this page.
You should not proceed, especially if you have never seen this warning before for this site.

Is this accurate? Earlier, I was getting warnings from cURL about this potentially being a man in the middle attack so I'd really like to make sure.

• @

[1z2x3c4v5b6n7m8]

@kostikbart05@gmail.com