Certification issue during install

[verebd]

I try to install volta on a Linux Jenkins agent and sporadically I got a certification-related error.

Could you please check it?

[chriskrycho]

Weird. I can’t reproduce locally, and when I check the actual cert for https://get.volta.sh, it looks totally fine and reasonable—it's a standard LetsEncrypt cert which was issued Sept. 20 and expires December 19. I wonder if you're seeing some kind of odd caching issue on the box(es) in question?

[lorsatti]

Found this document, that could perhaps help to troubleshoot this issue https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

[jsmits]

I got the same certification error on my mac just now.

$ curl https://get.volta.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

[levimoore]

I got this error as well today.

macOS Mojave 10.14.6
iTerm2 Build 3.3.2

$ curl https://get.volta.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

Turning off curl verification results in this error:

$ curl --insecure https://get.volta.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12319  100 12319    0     0  49865      0 --:--:-- --:--:-- --:--:-- 49874
  Installing latest version of Volta ()
    Checking for existing Volta installation
    Fetching archive for macOS, version

curl: (22) The requested URL returned error: 404
Error: Could not download Volta version ''. See https://github.com/volta-cli/volta/releases for a list of available releases

[canadaduane]

Turning off curl verification results in this error:

$ curl --insecure https://get.volta.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12319  100 12319    0     0  49865      0 --:--:-- --:--:-- --:--:-- 49874
  Installing latest version of Volta ()
    Checking for existing Volta installation
    Fetching archive for macOS, version

curl: (22) The requested URL returned error: 404
Error: Could not download Volta version ''. See https://github.com/volta-cli/volta/releases for a list of available releases

I had this error as well. The version check inside the volta.sh script is also a curl call, so a workaround for now is to download the script, then add -k (or the long form, --insecure) and run locally:

curl -k https://get.volta.sh > volta.sh
# edit volta.sh and add the `-k` option to the curl command:
# get_latest_release() {
#   curl -k --silent "https://volta.sh/latest-version"
# }
chmod +x volta.sh
./volta.sh

[thoresuenert]

I checked the cert with openssl, it says the certificate is verify error:num=10:certificate has expired.

I used the following command:
openssl s_client -showcerts -servername get.volta.sh -connect get.volta.sh:443

CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
...

[charlespierce]

@thoresuenert That's the legacy Let's Encrypt root certificate, which expired on September 30. The link posted above — https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ — Has more info on resolving the issue. This is an issue with the Let's Encrypt certificate chain and OpenSSL 1.0.2, not specific to Volta, so likely will apply to any site you connect to using OpenSSL using those certificates (however that usually means using cURL or similar, so there probably aren't a ton of those on a regular basis).

Another solution, suggested by Let's Encrypt themselves — https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ — is to upgrade to OpenSSL 1.1.0 or greater.

[lorsatti]

What about the third workaround proposed at https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ ?

Configure the server to use the alternative certificate chain which can be requested from Let’s Encrypt with most up-to-date ACME protocol clients. This chain does not contain the ISRG Root X1 cross-signed by the soon to be expired DST Root CA X3 and thus any OpenSSL 1.0.2 clients will not be misled by this expired path.

It would require no action from client side.

[newtriks]

@thoresuenert That's the legacy Let's Encrypt root certificate, which expired on September 30. The link posted above — https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ — Has more info on resolving the issue. This is an issue with the Let's Encrypt certificate chain and OpenSSL 1.0.2, not specific to Volta, so likely will apply to any site you connect to using OpenSSL using those certificates (however that usually means using cURL or similar, so there probably aren't a ton of those on a regular basis).

Another solution, suggested by Let's Encrypt themselves — https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ — is to upgrade to OpenSSL 1.1.0 or greater.

Hi, I'd like to suggest adopting this to other engineers but although I understand the issues with installation, I know it's going to be off putting having this obstacle right at the start on OS X. Are there alternative installations planned which may run smoother for OS X users?

[chriskrycho]

@newtriks brew install Volta works well, though I’m not clear on whether it would/could also end up hitting this issue.

[dwatow]

download https://get.volta.sh and save to volta.sh file
replace curl to curl -k in volta.sh file
run volta.sh
success!!

[kyuridenamida]

I encountered this problem in a long-living Amazon Linux instance.
sudo yum update ca-certificates resolved the problem without using the insecure flag for my case.
The root cause is related to the comment in this thread: #1035 (comment)

In my opinion, ignoring SSL certificate verification is simply dangerous. So if this solution works, it should be better.