New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install tries to update /etc/openssl instead of /usr/local/etc/openssl #3330

Closed
exact opened this Issue Mar 3, 2015 · 47 comments

Comments

Projects
None yet
@ghost

ghost commented Mar 3, 2015

On OS X Yosemite, I have a single-user install, I am not in sudoers and the directory /etc/openssl does not exist.

~ which rvm
/Users/donncha/.rvm/bin/rvm
~ rvm version
rvm 1.26.10 (latest) by Wayne E. Seguin <wayneeseguin@gmail.com>, Michal Papis <mpapis@gmail.com> [https://rvm.io/]
~  rvm install 2.1.5
Searching for binary rubies, this might take some time.
Found remote file https://rvm_io.global.ssl.fastly.net/binaries/osx/10.10/x86_64/ruby-2.1.5.tar.bz2
Checking requirements for osx.
Certificates in '/usr/local/etc/openssl/cert.pem' are already up to date.
Requirements installation successful.
ruby-2.1.5 - #configure
ruby-2.1.5 - #download
ruby-2.1.5 - #validate archive
ruby-2.1.5 - #extract
ruby-2.1.5 - #validate binary
ruby-2.1.5 - #setup
ruby-2.1.5 - #gemset created /Users/donncha/.rvm/gems/ruby-2.1.5@global
ruby-2.1.5 - #importing gemset /Users/donncha/.rvm/gemsets/global.gems....................................
ruby-2.1.5 - #generating global wrappers........
ruby-2.1.5 - #gemset created /Users/donncha/.rvm/gems/ruby-2.1.5
ruby-2.1.5 - #importing gemsetfile /Users/donncha/.rvm/gemsets/default.gems evaluated to empty gem list
ruby-2.1.5 - #generating default wrappers........
Updating certificates in '/etc/openssl/cert.pem'.
mkdir: /etc/openssl: Permission denied
mkdir -p "/etc/openssl" failed, retrying with sudo

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

donncha password required for 'mkdir -p /etc/openssl': 

In the initial check it correctly determines that the openssl certs are in /usr/local/etc/openssl/cert.pem and that they are up-to-date, but then tries to upgrade non-existent certs in /etc/openssl (which doesn't exist), requiring the use of sudo, to which I don't have access.

Two issues:
a) why is it updating certs if it has already determined they're OK, and
b) why isn't it updating the correct cert file

@ghost

This comment has been minimized.

ghost commented Mar 3, 2015

I can workaround this by switching to a user who does have sudo access and running
sudo rvm osx-ssl-certs update all, but that shouldn't be necessary.

@costa

This comment has been minimized.

costa commented Mar 25, 2015

+1

@costa

This comment has been minimized.

costa commented Apr 1, 2015

Moreover, in my case, it asks for the sudo password for something, then uses it for something else, look:

Searching for binary rubies, this might take some time.
Found remote file https://rvm_io.global.ssl.fastly.net/binaries/osx/10.10/x86_64/ruby-2.2.1.tar.bz2
Checking requirements for osx.
Updating certificates in '/opt/local/etc/openssl/cert.pem'.
MyUser password required for 'command tee /opt/local/etc/openssl/cert.pem':
Requirements installation successful.
ruby-2.2.1 - #configure
ruby-2.2.1 - #download
######################################################################## 100.0%
ruby-2.2.1 - #validate archive
ruby-2.2.1 - #extract
ruby-2.2.1 - #validate binary
ruby-2.2.1 - #setup
ruby-2.2.1 - #gemset created /Users/kp0t/.rvm/gems/ruby-2.2.1@global
ruby-2.2.1 - #importing gemset /Users/kp0t/.rvm/gemsets/global.gems..............................
ruby-2.2.1 - #generating global wrappers........
ruby-2.2.1 - #gemset created /Users/kp0t/.rvm/gems/ruby-2.2.1
ruby-2.2.1 - #importing gemsetfile /Users/kp0t/.rvm/gemsets/default.gems evaluated to empty gem list
ruby-2.2.1 - #generating default wrappers........
Updating certificates in '/etc/openssl/cert.pem'.

Hello? I didn't give you permission to update my system certificates, now what the F?

@havenwood

This comment has been minimized.

Contributor

havenwood commented Apr 2, 2015

@exact When autolibs are enabled the /usr/local/etc/openssl openssl is setup as a requirement for being able to compile dynamically linked Rubies on OS X. If you rvm install 2.1.5 --disable-binary and compile you'll notice you won't then see the /etc/openssl being setup. The latter is just used for statically linked precompiled binaries like the 2.1.5 OS X binary you're installing.

@costa Hello. Give man sudo and man sudoers a read, then man visudo so you can configure your sudoers file with the settings you prefer. If you set timestamp_timeout=0 your system will always prompt you for a password instead of waiting x minutes before asking for a password again. This isn't an RVM setting, it's your system.

@costa

This comment has been minimized.

costa commented Apr 4, 2015

@havenwood Thanks for the advice, now more importantly, why exactly rvm install needed to update /etc when I was installing 2.2.1 (and as far as I know it doesn't have those weird statically linked binaries that cannot use openssl's own directory as a base)?

@havenwood

This comment has been minimized.

Contributor

havenwood commented Apr 4, 2015

@costa Additional binaries for OS X are now available, including 2.2.1. You can rvm install 2.2.1 --disable-binary if you prefer to compile from source.

@costa

This comment has been minimized.

costa commented Apr 4, 2015

@havenwood I'm sorry I don't understand how this answers my question.
I did a local install of rvm (without intention of changing anything in my system);
rvm asked a sudo password for /opt/local/etc;
I thought: okay, it's a bit too nice of rvm, but I'll let it change the current openssl's certs (openssl living in /opt/local);
Then it went on and — without any further confirmation — changed a file in an unexpected location (belonging to neither openssl nor rvm installation) for no apparent reason.
So I'm looking for that reason.
I'm kind of experienced rvm user, but this kind of behaviour strikes me for the first time.

@havenwood

This comment has been minimized.

Contributor

havenwood commented Apr 4, 2015

as far as I know it doesn't have those weird statically linked binaries

I was just responding to this. You're mistaken. There is a precompiled statically linked binary available for 2.2.1 now! You can see you're using the precompiled binary in the log you posted above but you still have the option to compile from source if you prefer.

without intention of changing anything in my system

You can set rvm autolibs read-only to use available dependencies and ignore missing ones. This will also skip updating openssl certs. There's more information about your options in the autolibs documentation.

without any further confirmation

Configure your sudoers file with the behavior you prefer. If there are further sudo-related issues please open a new issue.

@costa

This comment has been minimized.

costa commented Apr 5, 2015

@havenwood Thank you for your answer.

I hope you don't mind me asking who's responsible for compiling the rubies. I'd like to see the reason behind "linking" /etc statically. Clueless that I am might think that there's no problem to statically link an openssl library which knows of the natural location of the cert file.

Now, if /etc is what Ruby 2.2.1 needs, who needs /opt/local/etc?

@havenwood

This comment has been minimized.

Contributor

havenwood commented Apr 8, 2015

@costa OS X has deprecated OpenSSL in favor of Common Crypto, so OS X doesn't ship with a version of OpenSSL that modern Ruby can compile against.

The /opt/local/etc/openssl directory on your system was likely created by the MacPorts package manager. As the /usr/local/etc/openssl initially reported on this Issue was likely created by the Homebrew package manager. Neither of these directories exist on a fresh OS X install.

Now, if /etc is what Ruby 2.2.1 needs, who needs /opt/local/etc?

The package-manager-provided OpenSSL satisfies the dynamic linking dependency when compiling Ruby 2.2.1. The SM-Framework-provided statically installed OpenSSL satisfies the static linking dependency for precompiled Ruby 2.2.1. This article discusses statically linking external dependencies with Ruby on OS X. All of the code is open source if you'd like to explore and if you have questions just drop by the #rvm Freenode IRC channel.

@costa

This comment has been minimized.

costa commented Apr 13, 2015

@havenwood Thanks again. Now I've tried to look for that statically linked OpenSSL lib you mentioned, but I couldn't find it. Any ideas?

@toadle

This comment has been minimized.

toadle commented Apr 16, 2015

Guys, I had the same problem and found my solution here. Blogged about it:
http://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

@toadle

This comment has been minimized.

toadle commented Apr 17, 2015

@mpapis Ask to be mentioned here via this tweet :-)!
https://twitter.com/rvm_io/status/588957794713399297

@postmodem

This comment has been minimized.

postmodem commented May 22, 2015

@toadle Thanks so much for that blog post. It helped me a resolve the very same issue—one I've been troubleshooting all day.

@mpapis

This comment has been minimized.

Member

mpapis commented Aug 11, 2015

@toadle @postmodem it's not the same issue, your problem was that you had manually installed certificates in a custom path in your system and not installed them in OSX certificate store.

anyway I think both issues could be "fixed" if RVM detected SSL_CERT_FILE="..." and did not update the certificates, instead issue a warning about custom path and that it's not being automatically updated.

@bitaxis

This comment has been minimized.

bitaxis commented Aug 16, 2015

I use rvm-installed Rubies everywhere, and this came up for me originally when I started to use a self-signed certificate to secure a single sign-on application. Not quite sure if an empty, non-existent, nor custom SSL_CERT_DIR is the root cause, because for me, this was happening both on my Linux host where I deploy my SSO-enabled Rails applications to as well as on my Mac, where I develop and test those applications. But, contrary to the Mac, the SSL_CERT_DIR rvm-installed Rubies point to is not empty on my Linux host.

But, Mislav Marohnić's http://mislav.uniqpath.com/2013/07/ruby-openssl/ article and his ssl-tools repo provided me with the solution/workaround I need. Basically, I would use create-cert to create the certificate, run sudo c_rehash on it, and then move the file and links into SSL_CERT_DIR.

I had to do this on my Linux host as well as copy the certificate to my Mac and do the same so that both the SSO application and others integrated with it are able to pass certificate verification when run from both machines.

But this came up again when I upgraded from Ruby 2.2.0 to 2.2.2 (both on same install of Yosemite), because, annoyingly, SSL_CERT_DIR changed from /opt/local/etc/openssl/certs to /etc/openssl/certs.

@mpapis

This comment has been minimized.

Member

mpapis commented Aug 17, 2015

@bitaxis RVM does not change SSL_CERT_DIR environment variable, if you are having problems with it - has to be something else, as for the binaries provided by RVM and the /etc/openssl/certs - it's a standard path, no reason to not use it, further more: RVM does update this path with your OSX stores certificates when you install ruby, there is even a command to update all OpenSSL paths that your rubies point to: rvm osx-ssl-certs update all

you can still use the certificates generated Mislavs tool by adding them to the OSX certificate store.

@bitaxis

This comment has been minimized.

bitaxis commented Aug 20, 2015

@MAPIS Good to hear that RVM does not change the SSL_CERT_DIR environment variable. Perhaps it is OpenSSL and/or CommonCrypto that is doing it then.

Still loving RVM for all it does. Please keep up the excellent work!

@kimardenmiller

This comment has been minimized.

kimardenmiller commented Sep 11, 2015

@toadle linked blog worked for me, though things starting working when I ran brew doctor, which led me to clues like unset SSL_CERT_DIR

@jmyers0022

This comment has been minimized.

jmyers0022 commented Oct 1, 2015

@toadle thanks for the blog post. Worked for me as well. 👍

@pik

This comment has been minimized.

pik commented Oct 12, 2015

@mpapis I have updated with that command and still experienced the same problem, so I believe this issue is still unfixed on the RVM side.

Also rvm install <ruby-version> --disable-binary fails on OS X.

@Vanuan

This comment has been minimized.

Vanuan commented Oct 15, 2015

I believe, rvm should somehow distinguish between different OS X versions and install corresponding binary.

@Vanuan

This comment has been minimized.

Vanuan commented Oct 15, 2015

What's uname -r on Yosemite and Maverics?

@pik

This comment has been minimized.

pik commented Oct 15, 2015

14.4.0 for Yosemite.

@toadle

This comment has been minimized.

toadle commented Oct 15, 2015

15.0.0 for El Capitan

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 16, 2015

@Vanuan according to apple they have full backwards compatibility, it should be enough to specify flag back to which version you want support and anything upwards should be good. As it looks they do not keep that premise.

all that apart, the problem here was about RVM using /etc/openssl which is part of RVM binaries no difference which version you would use - closing this issue as invalid

finally if there is a bug with rvm install <ruby-version> --disable-binary - please open separate issue with the full error and mentioned log files

@mpapis mpapis closed this Oct 16, 2015

@pik

This comment has been minimized.

pik commented Oct 17, 2015

This problem only happens with RVM ruby binaries and there is no working solution listed -- short of building ruby from source - how is this an invalid issue?

@Vanuan

This comment has been minimized.

Vanuan commented Oct 17, 2015

Wow.
"We provided compiled binaries for OS X. And it worked well until Apple developers made an incompatible change. Stupid morons they are. We won't provide compiled binaries anymore. So f*ck off."

@pik

This comment has been minimized.

pik commented Oct 17, 2015

Compiled binaries that cause issues for most users and don't fix anything aren't of any kind of benefit to those users -- you might see it as unrewarding (free work for github issues) but so is the process of finding out that X is not in fact supported. (I've already had a similar problem with fish-shell support: which has a shim and explicit instructions on the rvm website -- and which do not work and the issue for which was closed 'i.e. we don't support fish-shell - despite the official documentation').

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 17, 2015

please do not confuse problems, problem here in this ticket is not actually a bug, Apple does not provide package manager nor openssl, so anyone willing to provide software for OSX needs to statically link against openssl, as a side effect of this - anyone providing software needs to pick a path for the openssl configuration, by default UNIX / Linux uses /etc for configuration. so RVM uses it - and this ticket is about it!

if you have problems with anything else please open a separate issue, RVM contributors are here to help and solve the problems.

@Vanuan

This comment has been minimized.

Vanuan commented Oct 17, 2015

@mpapis
So, is it really hard to provide different configuration path for different versions of OS X?

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 18, 2015

@Vanuan it is not hard, it is impossible, the one path that is set it is hard coded in the binary, to change it a new binary has to be compiled.

@Vanuan

This comment has been minimized.

Vanuan commented Oct 19, 2015

@mpapis so, is it hard to compile a new binary?

@toadle

This comment has been minimized.

toadle commented Oct 19, 2015

@mpapis Is there a way to install and use openssl with decent userbase that uses /etc/openssl as their path? Under my impression most people install using homebrew which uses /usr/local/etc/openssl and therefore is a problem.

If there is a different way other than homebrew which most of users actually use than this is indeed invalid and should be closed. Otherwise I'd suggest to use the PATH with the biggest userbase.

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 20, 2015

From top of my head: homebrew, macports, fink, sm (used by RVM to compile the binary rubies). This gives 4 for start, there is more, homebrew might be the leading one, but each of them will have a different path ... even better homebrew can be installed in different paths, picking just one path is not an option.

As long as Apple does not provide a default package manager for OSX with default paths there is only so much others can do to overcome their mess.

@toadle

This comment has been minimized.

toadle commented Oct 20, 2015

@mpapis Perhaps a short warning then, when installing a precompiled binary?
So that the obvious solution to the SSL-problem is right there, when not installing from source?

@pik

This comment has been minimized.

pik commented Oct 20, 2015

I don't know about others but for me sudo rvm osx-ssl-certs update all did not fix anything either.

Imho what really should happen during the binary install procedure is that it should check if ssl certs are present at the expected binary path -- if not install should end with a warning and provide the user with instructions for fixing this or suggest installing with --disable-binary (on a sidenote why does building ruby suddenly require dtrace, are these just the default ./configure settings supplied by rbenv/rvm?).

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 20, 2015

@pik rvm osx-ssl-certs update all does not require sudo, also you might be missing point about it, what it does is import certificates from OSX certificates store, which should be ultimate source of certificates on OSX as it's the official place certificates are stored on this system.

@pik

This comment has been minimized.

pik commented Oct 20, 2015

I don't know much about the osx ecosystem since I've mostly used linux - all I meant to say is that did not fix ssl errors with rvm for me (where as rbenv's install which builds from source works fine -- I assume rvm would as well with --disable-binary).

@mpapis

This comment has been minimized.

Member

mpapis commented Oct 20, 2015

@pik I would need to know more about your expectations, but yes, the --disable-binary would have worked for you most likely.

@jgerry

This comment has been minimized.

jgerry commented Oct 29, 2015

I just ran into this issue with Ruby 2.1.4 using the AWS SDK. Re-installng via rvm reinstall 2.1.4 --disable-binary almost worked -- I did have to remove my 2.1.4 gemsets and rebuild them first. Now everything seems to be working properly. I suspect had I removed 2.1.4 and its gemsets entirely and re-installed 2.1.4 it would have worked without issue.

@Cynth42

This comment has been minimized.

Cynth42 commented Feb 7, 2017

I'm trying to update ssl certificate and I'm being asked for password. Don't know what password they are asking for. Somebody please help me-thanks
Updating certificates for /etc/openssl/cert.pem: Updating certificates in '/etc/openssl/cert.pem'.
password required for 'command tee /etc/openssl/cert.pem':
Sorry, try again.
password required for 'command tee /etc/openssl/cert.pem':

@pkuczynski

This comment has been minimized.

Member

pkuczynski commented Feb 7, 2017

It needs root password.

@Cynth42

This comment has been minimized.

Cynth42 commented Feb 7, 2017

it needs root password and i'm not sure what the root password is

@pkuczynski

This comment has been minimized.

Member

pkuczynski commented Feb 7, 2017

Then it wont work.

@Cynth42

This comment has been minimized.

Cynth42 commented Feb 7, 2017

Thank you thus far :) So I am trying to build a simple blog app and at the end of the log, I'm seeing:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. What is happening and how can I fix it? Do I need to update the SSL certificate? I'm not sure what to do. Thank you for the help

: railsapp
♥ rails new blog
create
create README.rdoc
create Rakefile
create config.ru
create .gitignore
create Gemfile
create app
create app/assets/javascripts/application.js
create app/assets/stylesheets/application.css
create app/controllers/application_controller.rb
create app/helpers/application_helper.rb
create app/views/layouts/application.html.erb
create app/assets/images/.keep
create app/mailers/.keep
create app/models/.keep
create app/controllers/concerns/.keep
create app/models/concerns/.keep
create bin
create bin/bundle
create bin/rails
create bin/rake
create bin/setup
create config
create config/routes.rb
create config/application.rb
create config/environment.rb
create config/secrets.yml
create config/environments
create config/environments/development.rb
create config/environments/production.rb
create config/environments/test.rb
create config/initializers
create config/initializers/assets.rb
create config/initializers/backtrace_silencers.rb
create config/initializers/cookies_serializer.rb
create config/initializers/filter_parameter_logging.rb
create config/initializers/inflections.rb
create config/initializers/mime_types.rb
create config/initializers/session_store.rb
create config/initializers/wrap_parameters.rb
create config/locales
create config/locales/en.yml
create config/boot.rb
create config/database.yml
create db
create db/seeds.rb
create lib
create lib/tasks
create lib/tasks/.keep
create lib/assets
create lib/assets/.keep
create log
create log/.keep
create public
create public/404.html
create public/422.html
create public/500.html
create public/favicon.ico
create public/robots.txt
create test/fixtures
create test/fixtures/.keep
create test/controllers
create test/controllers/.keep
create test/mailers
create test/mailers/.keep
create test/models
create test/models/.keep
create test/helpers
create test/helpers/.keep
create test/integration
create test/integration/.keep
create test/test_helper.rb
create tmp/cache
create tmp/cache/assets
create vendor/assets/javascripts
create vendor/assets/javascripts/.keep
create vendor/assets/stylesheets
create vendor/assets/stylesheets/.keep
run bundle install
Fetching source index from https://rubygems.org/
Retrying source fetch due to error (2/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying source fetch due to error (3/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without
using SSL, edit your Gemfile sources and change 'https' to 'http'.
run bundle exec spring binstub --all
/Users//.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/resolver.rb:352:in resolve': Could not find gem 'sqlite3 (>= 0) ruby' in the gems available on this machine. (Bundler::GemNotFound) from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/resolver.rb:165:in start'
from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/resolver.rb:129:in resolve' from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/definition.rb:203:in resolve'
from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/definition.rb:133:in specs' from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/definition.rb:178:in specs_for'
from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/definition.rb:167:in requested_specs' from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/environment.rb:18:in requested_specs'
from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/runtime.rb:13:in setup' from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler.rb:120:in setup'
from /Users/cynthiaclinton/.rvm/gems/ruby-2.1.2@global/gems/bundler-1.6.2/lib/bundler/setup.rb:17:in <top (required)>' from /Users//.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in require'
from /Users//.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require'

@blairanderson

This comment has been minimized.

blairanderson commented Mar 29, 2017

@Cynth42 password has nothing to do with RVM. you should read this: http://askubuntu.com/questions/44418/how-to-enable-root-login

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment