CERTIFICATE_VERIFY_FAILED on macOS Sierra Beta

[jonluca]

Error Log:

Package Control: Fetching list of available packages and dependencies
Platform: osx-x64
Sublime Text Version: 3126
Package Control Version: 3.2.1
Package Control: Download Debug
URL: https://packagecontrol.io/channel_v3.json
Timeout: 30
Resolved IP: 50.116.34.243
Resolved IPv6: 2600:3c02:e000:42::1
Package Control: Urllib Debug Proxy
http_proxy:
https_proxy:
proxy_username:
proxy_password:
Package Control: Found previously exported CA bundle at /Users/jonlucadecaro/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (268794 bytes)
Package Control: Urllib HTTPS Debug General
Connecting to packagecontrol.io on port 443
Package Control: Urllib HTTPS Debug General
Upgrading connection to SSL using CA certs file at /Users/jonlucadecaro/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle
Package Control: Error downloading channel. HTTP exception InvalidCertificateException (Host packagecontrol.io returned an invalid certificate ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548))) downloading https://packagecontrol.io/channel_v3.json.

I have tried manually pasting the certificate into both merged-ca-bundle and user-ca-bundle.

There seem to be two other issues open about this issue as well, but they seem to be dead. Package Control is not usable while this happens.

[wbond]

Unfortunately I haven't been able to replicate the issue, so I don't know exactly what needs to be fixed and/or changed.

If you can do some more debugging I would appreciate it!

[jonluca]

I managed to fix this by changing my package settings. I made my osx downloader preference curl, and it works. You might need to set it to wget after the latest update. My preferences are below:

{
	"bootstrapped": true,
	"debug": true,
	"installed_packages":
	[
		"Package Control"
	],
	"downloader_precedence":
	{
		"linux": [ "curl", "urllib",    "wget" ],
		"osx": [ "curl", "urllib" ],
		"windows": [ "wininet" ]
	},
}

Note:

@jonluca Thanks again for your solution.

For anyone else that stumbles here (like myself) I had to use wget as the downloader program in order for it to work on Mac Sierra 10.12.4.

NOTE: An important distinction to highlight here is to make sure you override the downloader precedence setting in the Package Control User settings file.

See attached image for clarity.

I'm in the process of debugging the python. It looks like it's an error with the way the new urllib is behaving with regards to SSL/HTTPS.

If I had to guess I'd say that it was a problem with the script not running as root, and perhaps not being able to read from the CA file, or write the new ones to it.

[jonluca]

So I looked into this a bit more.

In validating_https_connection.py, I did some console write, like so (around line 300)

            console_write(
                u'''
                    Keyfile: %s
                    cert: %s
                    reqs: %s
                    certs: %s
                ''',
                (self.key_file, self.cert_file, self.cert_reqs, self.ca_certs)
            )
            
            
            self.sock = ssl.wrap_socket(
                self.sock,
                keyfile=self.key_file,
                certfile=self.cert_file,
                cert_reqs=self.cert_reqs,
                ca_certs=self.ca_certs,
                ssl_version=ssl.PROTOCOL_TLSv1
            )

And I get this:

Package Control: Keyfile: None 

cert: None 

reqs: 2 

certs: b'/Users/jonlucadecaro/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' 


Package Control: Error downloading channel. HTTP exception InvalidCertificateException (Host packagecontrol.io returned an invalid certificate ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548))) downloading https://packagecontrol.io/channel_v3.json.

It looks like the cert and certificates might be incorrectly passed through?

[jonluca]

So I've spent the last day debugging it (and having to constantly reload sublime...) and playing around with SSL and where it fails. It looks like the error is either A) not having the intermediary certificates, or the merged ca bundle not processing correctly. It's an SSL verification error - if you change "cert_reqs" to 0, it doesn't verify them, and urllib completes successfully, and the problem is mitigated.

While that isn't ideal as it opens you up for MitM attacks, it does show that the error is in the certificate file. _ssl.c fails at verification (called from ssl.py). It's able to correctly fetched channels_v3.json. A short term fix is to just change the downloader priority for OS X or to disable SSL verification.

Curl, however, doesn't run into these issues. It means that it is either more robust in it's parsing of certificates/verifying intermediaries or that there is a bug in the way we are passing certificates to the ssl socket wrapper for urllib (and that it only fails sometimes, as this bug is uncommon enough to only have a few issues on GH). I tried verifying the permissions of the file, but that seems fine. I'm kind of stuck unless I find a better way of debugging it.

@wbond - how do you debug when developing Package Control? Sorry, I've never made a sublime plugin so I'm not familiar to how you hot reload sublime and how you add breakpoints to the python. I've been using a ton of console_write() but I would really like to be able to step into each function and view the current stack.

[wbond]

I tend to use print() debugging within the Sublime Text python environment. If you save the file 1_reloader.py, it will ensure all of the Package Control submodules are live-reloaded so you don't have to restart ST.

For reference, your oscrypto bundle is about 40KB smaller than mine. I am running El Capitan, but I don't believe I have any custom roots. Based on the filesize difference, it seems you have fewer trust roots.

I've done some work recently to make it possible for oscrypto to allow a callback to be called for each certificate that is being exported from the trust store. This should allow us to identify if the root requires for https://packagecontrol.io is being properly exported.

The other possibility I see is that the exported trust information coming from the OS X trust store is confusing OpenSSL. This could also explain why only some OS X users are seeing the issue. My plan is to further augment oscrypto to provide trust and reject info to the callback so a full picture of each certificate can be presented. Once this is in place, hopefully we should be able to identify the root cause.

---

Considering the small number of users having the issue and the security risk associated with installing software, I definitely would not consider disabling SSL verification on OS X.

I think users that are hitting it certainly can utilize the curl downloader, but I don't want that to be the default. I'd rather get the bug fixed.

My hope is to have a new build out with the trust root debug info in the next week or two, but I can't commit to deadlines with open source projects.

[jonluca]

Thanks for the quick reply!

I agree with all you said. The only thing is that it might be worth including this in the common bugs page on packagecontrol.io, as the current suggestions are just to purge old installations and try reinstalling. Some less motivated users might just abandon package control since the temporary fix takes a while to find.

And I understand. Thanks again for making PC!

[avelis]

@jonluca Thanks again for your solution.

For anyone else that stumbles here (like myself) I had to use wget as the downloader program in order for it to work on Mac Sierra 10.12.4.

NOTE: An important distinction to highlight here is to make sure you override the downloader precedence setting in the Package Control User settings file.

See attached image for clarity.

[rrodrigueznt]

@jonluca, @wbond, @avelis Thanks for the solution and for trying to fix this issue. The change of downloader preference to curl fixed the issue in my Mac OS X El Capitan 10.11.6 box.

For the record: this issue appeared here after some changes in the communication infrastructure of my organisation triggered by recent cyber attacks. It was working fine until then. As this changes are also affecting other processes (Mac OS X software updated, for instance), I'll try to describe them and keep this thread posted. It must be some relationship between this issue and the new requirements to correctly communicate with the World!

Here Sublime Text console contents after setting curl as downloader and launch Package Control...

startup, version: 3126 osx x64 channel: stable
executable: /Applications/Sublime Text.app/Contents/MacOS/Sublime Text
working dir: /
packages path: /Users/rrodriguez/Library/Application Support/Sublime Text 3/Packages
state path: /Users/rrodriguez/Library/Application Support/Sublime Text 3/Local
zip path: /Applications/Sublime Text.app/Contents/MacOS/Packages
zip path: /Users/rrodriguez/Library/Application Support/Sublime Text 3/Installed Packages
ignored_packages: ["Vintage"]
pre session restore time: 0.718714
first paint time: 0.826022
startup time: 0.827625
reloading plugin Default.auto_indent_tag
reloading plugin Default.block
reloading plugin Default.comment
reloading plugin Default.convert_syntax
reloading plugin Default.copy_path
reloading plugin Default.delete_word
reloading plugin Default.detect_indentation
reloading plugin Default.duplicate_line
reloading plugin Default.echo
reloading plugin Default.exec
reloading plugin Default.fold
reloading plugin Default.font
reloading plugin Default.goto_line
reloading plugin Default.history_list
reloading plugin Default.indentation
reloading plugin Default.install_package_control
reloading plugin Default.kill_ring
reloading plugin Default.mark
reloading plugin Default.new_templates
reloading plugin Default.open_context_url
reloading plugin Default.open_in_browser
reloading plugin Default.pane
reloading plugin Default.paragraph
reloading plugin Default.paste_from_history
reloading plugin Default.profile
reloading plugin Default.quick_panel
reloading plugin Default.run_syntax_tests
reloading plugin Default.save_on_focus_lost
reloading plugin Default.scroll
reloading plugin Default.set_unsaved_view_name
reloading plugin Default.settings
reloading plugin Default.show_scope_name
reloading plugin Default.side_bar
reloading plugin Default.sort
reloading plugin Default.swap_line
reloading plugin Default.switch_file
reloading plugin Default.symbol
reloading plugin Default.transform
reloading plugin Default.transpose
reloading plugin Default.trim_trailing_white_space
reloading plugin CSS.css_completions
reloading plugin Diff.diff
reloading plugin HTML.encode_html_entities
reloading plugin HTML.html_completions
reloading plugin 0_package_control_loader.00-package_control
reloading plugin Package Control.1_reloader
reloading plugin Package Control.2_bootstrap
reloading plugin Package Control.Package Control
plugins loaded
Package Control: Skipping automatic upgrade, last run at 2017-05-24 08:23:26, next run at 2017-05-24 09:23:26 or after
Package Control: Fetching list of available packages and dependencies
  Platform: osx-x64
  Sublime Text Version: 3126
  Package Control Version: 3.2.1
Package Control: Download Debug
  URL: https://packagecontrol.io/channel_v3.json
  Timeout: 30
  Resolved IP: 50.116.34.243
  Resolved IPv6: 2600:3c02:e000:42::1
Package Control: Found previously exported CA bundle at /Users/rrodriguez/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (305031 bytes)
Package Control: Curl Debug Proxy
  http_proxy: 
  https_proxy: 
  proxy_username: 
  proxy_password: 
Package Control: Trying to execute command /usr/bin/curl --connect-timeout 30 -sSL --tlsv1 --dump-header /var/folders/mq/0gr381xs3sj9p7vry773gtn80000gn/T/tmp0gk51e --user-agent 'Package Control v3.2.1' --header 'If-Modified-Since: Wed, 24 May 2017 06:40:05 GMT' --header 'If-None-Match: "59252ac5-480d5"' --header 'Accept-Encoding: bzip2,gzip,deflate' --cacert '/Users/rrodriguez/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' -v https://packagecontrol.io/channel_v3.json
Package Control: Curl HTTP Debug Write
    Trying 50.116.34.243...
  Connected to packagecontrol.io (50.116.34.243) port 443 (#0)
  TLS 1.2 connection using TLS_RSA_WITH_AES_256_GCM_SHA384
  Server certificate: packagecontrol.io
  Server certificate: SERGAS-CA-SPR
  Server certificate: SERGAS-CA-EEC
  Server certificate: SERGAS-CA-Root
Package Control: Curl HTTP Debug Read
  GET /channel_v3.json HTTP/1.1
  Host: packagecontrol.io
  User-Agent: Package Control v3.2.1
  Accept: */*
  If-Modified-Since: Wed, 24 May 2017 06:40:05 GMT
  If-None-Match: "59252ac5-480d5"
  Accept-Encoding: bzip2,gzip,deflate
Package Control: Curl HTTP Debug General
  HTTP/1.1 200 OK
  Server: nginx
  Date: Wed, 24 May 2017 07:10:05 GMT
  ETag: "59252f77-47a45"
  Content-Encoding: bzip2
  Vary: Accept-Encoding
  Strict-Transport-Security: max-age=15552000
  Accept-Ranges: bytes
  Content-Length: 293445
  Content-Type: application/json
  Last-Modified: Wed, 24 May 2017 07:00:07 GMT
  Connection: keep-alive
Package Control: Curl HTTP Debug General
  Connection #0 to host packagecontrol.io left intact
Package Control: Caching https://packagecontrol.io/channel_v3.json in /Users/rrodriguez/Library/Application Support/Sublime Text 3/Packages/User/Package Control.cache/01524fae79697630d0454ba3fabd9414

Thanks for your time!

[wbond]

Can you try manually upgrading to Package Control 3.3.0? I think this may be resolved now.

[patchsmyle]

Hi All, I wanted to comment to add. I have found a fix.
First, I have performed all of the above suggestions and to no avail. I took the above advice about looking (on Mac) at the trusted cert. FYI, OS X CLI curl does NOT use the OS X keychain to validate CA roots.

I then took the CA root which happens to be GeoTrust Global CA, converted it from DER to PEM format. I then appended it to the oscrypto-ca-bundle.crt file.

Everything works as expected again.

[dwasss]

@patchsmyle can you share more details on the steps you took to resolve it? I have the same problem as you and tried removing/purging package control and all those troubleshooting steps like switching the downloader to curl or wget, same problem.

Package Control: Fetching list of available packages and dependencies
  Platform: osx-x64
  Sublime Text Version: 3143
  Package Control Version: 3.3.0
Package Control: Download Debug
  URL: https://packagecontrol.io/channel_v3.json
  Timeout: 30
  Resolved IP: 50.116.34.243
  Resolved IPv6: 2600:3c02:e000:42::1
Package Control: Found previously exported CA bundle at /Users/username/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (270812 bytes)
Package Control: Curl Debug Proxy
  http_proxy: 
  https_proxy: 
  proxy_username: 
  proxy_password: 
Package Control: Trying to execute command /usr/local/bin/curl --connect-timeout 30 -sSL --tlsv1 --dump-header /var/folders/z4/2fgbggcx6zgc6f01k1bcmd7r0012lj/T/tmpdjwyui --user-agent 'Package Control v3.3.0' --header 'Accept-Encoding: bzip2,gzip,deflate' --cacert '/Users/username/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' -v https://packagecontrol.io/channel_v3.json
Package Control: Curl HTTP Debug General
  Hostname was NOT found in DNS cache
    Trying 2600:3c02:e000:42::1...
    Trying 50.116.34.243...
  Connected to packagecontrol.io (50.116.34.243) port 443 (#0)
  SSL: certificate verification failed (result: 5)
  Closing connection 0
Package Control: Error downloading channel. curl: (51) SSL: certificate verification failed (result: 5) downloading https://packagecontrol.io/channel_v3.json.

[openfirmware]

I ran into the Certificate Failure error when trying to install a package, and @patchsmyle's comment led me on the path to find a solution. I seem to run into this problem once a year so I persisted until I found something that worked. First here are my versions:

MacOS High Sierra 10.13.1
Sublime Text 3.0 Build 3143
Package Control v3.3.0
LibreSSL 2.2.7
curl 7.54.0

I tried deleting the oscrypto-ca-bundle.crt, Package Control.merged-ca-bundle, and Package Control.user-ca-bundle files in ~/Library/Application Support/Sublime Text 3/Packages/User, and let Package Control re-generate them by trying to install a package, but that did not solve the issue.

I tried changing the Package Control user preferences so that MacOS used curl instead of urllib, but it also failed with a slightly more verbose error:

Package Control: Error downloading package. } [512 bytes data] } [2 bytes data] curl: (60) SSL certificate problem: certificate not trusted More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle"  of Certificate Authority (CA) public keys (CA certs). If the default  bundle file isn't adequate, you can specify an alternate file  using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in  the bundle, the certificate verification probably failed due to a  problem with the certificate (it might be expired, or the name might  not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use  the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. downloading https://codeload.github.com/wbond/sublime_alignment/zip/2.1.0.
error: Package Control

Unable to download Alignment. Please view the console for more details

I then found a curl command that could trigger the same error. It is using the same Package Control merged CA bundle.

$ curl -s --connect-timeout 5 -L -o /dev/null -vv --cacert "$HOME/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle" https://codeload.github.com/

*   Trying 192.30.253.120...
* TCP_NODELAY set
* Connected to codeload.github.com (192.30.253.120) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/me/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3091 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: certificate not trusted
* stopped the pause stream!
* Closing connection 0
FAIL: 60

I then tried downloading the certificates for codeload.github.com:

$ openssl s_client -connect codeload.github.com:443 -showcerts

This printed two certificates, "DigiCert SHA2 High Assurance Server CA" and "DigiCert High Assurance EV Root CA". I added the PEM output to the end of the Package Control.merged-ca-bundle file but the curl command above still failed.

The openssl command did have a small clue: verify error:num=20:unable to get local issuer certificate. This is probably in reference to "DigiCert High Assurance EV Root CA", which was not downloaded via the openssl command. I downloaded that certificate as a PEM file from DigiCert, and placed it on the desktop. Using the root CA with curl does work properly. (I omitted the long output here, mostly handshake and HTTP responses.)

$ curl -s --connect-timeout 5 -L -o /dev/null -vv --cacert "$HOME/Desktop/DigiCert High Assurance EV Root CA.pem" https://codeload.github.com/

So I figured that appending that root certificate to the Package Control.merged-ca-bundle file would work with the first curl command, but I was wrong, same error as before. HOWEVER, I put that root certificate at the TOP of the bundle file and then the curl command worked! And with that change, Package Control will install a package without any certificate issue. I changed the preference to use urllib instead of curl, and it works with that too.

TL;DR Download the root CA for codeload.github.com and add the PEM output to the top of $HOME/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle

[jonluca]

Great debug! Looks like this'll solve the problem once and for all @wbond.

Thanks

[FichteFoll]

To make the CA persist in your settings, you should put it inside Package Control.user-ca-bundle. I don't know whether that is prepended or appended compared to the OS's CA bundle, though.

Also note that this is merely a workaround and not a proper fix.

[joerg24wolf]

I am facing the same problem for two certificates.

The root cause is that certificates in Keychain with modified trust settings (even when set to "Always Trust") are not getting exported to the *ca-bundles. System Root Certificates are only exported correctly when they are marked as "This certificate is valid" . Still seems to be a sublime bug.

The described solution exporting those certificates as .pem files and adding them manually to Package Control.user-ca-bundle works but is only a workaround.

BR

[rocdeng]

Thanks @patchsmyle, it did fixed my bug! (High Sierra, 10.13.2)

[acheronfail]

I believe the latest build 3158 has fixed this issue for me on macOS: 😄

Relevant parts of the changelog:

API: The Python ssl module will now negotiate TLS 1.2, 1.1 or 1.0 with the PROTOCOL_TLSv1 constant
API: Updated Python to 3.3.7, SQLite to 3.22.0, and OpenSSL to 1.0.2n

[michelleowen]

@jonluca I tried to set the setting as you suggested. Now I got the following error:

Package
Control: Fetching list of available packages and dependencies
Platform: osx-x64
Sublime Text Version: 3126
Package Control Version: 3.3.0
Package Control: Download Debug
URL: https://packagecontrol.io/channel_v3.json
Timeout: 30
Resolved IP: 10.124.7.14
Package Control: Found previously exported CA bundle at /Users/louyang11/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (326177 bytes)
Package Control: Curl Debug Proxy
http_proxy:
https_proxy:
proxy_username:
proxy_password:
Package Control: Trying to execute command /usr/bin/curl --connect-timeout 30 -sSL --tlsv1 --dump-header /var/folders/87/3f0js3zj5yq37mkm_40gt9mj0wdr27/T/tmp5gmb08 --user-agent 'Package Control v3.3.0' --header 'Accept-Encoding: bzip2,gzip,deflate' --cacert '/Users/louyang11/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' -v https://packagecontrol.io/channel_v3.json
Package Control: Curl HTTP Debug Write
Trying 69.191.241.9...
Connected to proxy.bloomberg.com (69.191.241.9) port 81 (#0)
Establish HTTP proxy tunnel to packagecontrol.io:443
Package Control: Curl HTTP Debug Read
CONNECT packagecontrol.io:443 HTTP/1.1
Host: packagecontrol.io:443
User-Agent: Package Control v3.3.0
Proxy-Connection: Keep-Alive
Package Control: Curl HTTP Debug General
HTTP/1.1 200 Connection established
Package Control: Curl HTTP Debug General
Proxy replied OK to CONNECT request
SSL: CA certificate set, but certificate verification is disabled
Closing connection 0
Package Control: Error downloading channel. curl: (35) SSL: CA certificate set, but certificate verification is disabled downloading https://packagecontrol.io/channel_v3.json.

[jonluca]

@michelleowen It looks like you're sitting behind a bloomberg proxy.

The errror is that curl is not verifying the certchain. It looks like curl was not compiled with openssl.

Try this https://stackoverflow.com/questions/41949793/ssl-ca-certificate-set-but-certificate-verification-is-disabled-mac-os-sierr

[michelleowen]

@jonluca I tried this already, I still got the same error though.

[peteristik]

Hi i tried changing the osx downloader preference curl, but I got the following error.

Package Control: Fetching list of available packages and dependencies
Platform: osx-x64
Sublime Text Version: 3176
Package Control Version: 3.3.1-beta4
Package Control: Download Debug
URL: https://packagecontrol.io/channel_v3.json
Timeout: 30
Resolved IP: 50.116.34.243
Resolved IPv6: ::ffff:50.116.34.243
Package Control: Found previously exported CA bundle at /Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (266054 bytes)
Package Control: Curl Debug Proxy
http_proxy:
https_proxy:
proxy_username:
proxy_password:
Package Control: Trying to execute command /Users/huangshanhongtao/anaconda3/bin/curl --connect-timeout 30 -sSL --tlsv1 --dump-header /var/folders/4p/9ndzlw6j6mv998ph2fpl677w0000gn/T/tmpaskeqv --user-agent 'Package Control v3.3.1-beta4' --header 'If-Modified-Since: Thu, 28 Jun 2018 08:30:07 GMT' --header 'Accept-Encoding: bzip2,gzip,deflate' --header 'If-None-Match: "5b349c8f-52095"' --cacert '/Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' -v https://packagecontrol.io/channel_v3.json
Package Control: Curl HTTP Debug Write
Trying 50.116.34.243...
TCP_NODELAY set
Connected to packagecontrol.io (50.116.34.243) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
successfully set certificate verify locations:
CAfile: /Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle
CApath: none
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
NPN, negotiated HTTP1.1
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Unknown (67):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
ALPN, server did not agree to a protocol
Server certificate:
subject: CN=packagecontrol.io
start date: Nov 27 00:00:00 2016 GMT
expire date: Nov 27 23:59:59 2019 GMT
subjectAltName: host "packagecontrol.io" matched cert's "packagecontrol.io"
issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA
SSL certificate verify ok.
Package Control: Curl HTTP Debug Read
GET /channel_v3.json HTTP/1.1
Host: packagecontrol.io
User-Agent: Package Control v3.3.1-beta4
Accept: /
If-Modified-Since: Thu, 28 Jun 2018 08:30:07 GMT
Accept-Encoding: bzip2,gzip,deflate
If-None-Match: "5b349c8f-52095"
Package Control: Curl HTTP Debug General
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 28 Jun 2018 08:40:09 GMT
Content-Type: application/json
Content-Length: 333091
Last-Modified: Thu, 28 Jun 2018 08:40:06 GMT
Connection: keep-alive
ETag: "5b349ee6-51523"
Content-Encoding: bzip2
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000
Accept-Ranges: bytes
Package Control: Curl HTTP Debug General
Connection #0 to host packagecontrol.io left intact
Package Control: Caching https://packagecontrol.io/channel_v3.json in /Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/Package Control.cache/01524fae79697630d0454ba3fabd9414
ignored packages updated to: ["GoSublime", "Vintage"]
reloading settings Packages/User/Package Control.sublime-settings
Package Control: Fetching list of available packages and dependencies
Platform: osx-x64
Sublime Text Version: 3176
Package Control Version: 3.3.1-beta4
reloading settings Packages/User/Preferences.sublime-settings
Package Control: Download Debug
URL: https://codeload.github.com/DisposaBoy/GoSublime/zip/v18.05.19
Timeout: 30
Resolved IP: 13.250.162.133
Resolved IPv6: ::ffff:13.250.162.133
Package Control: Found previously exported CA bundle at /Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/oscrypto-ca-bundle.crt (266054 bytes)
Package Control: Curl Debug Proxy
http_proxy:
https_proxy:
proxy_username:
proxy_password:
Package Control: Trying to execute command /Users/huangshanhongtao/anaconda3/bin/curl --connect-timeout 30 -sSL --tlsv1 --dump-header /var/folders/4p/9ndzlw6j6mv998ph2fpl677w0000gn/T/tmpvkp6zz --user-agent 'Package Control v3.3.1-beta4' --header 'Accept-Encoding: bzip2,gzip,deflate' --cacert '/Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle' -v https://codeload.github.com/DisposaBoy/GoSublime/zip/v18.05.19
Package Control: Curl HTTP Debug General
Trying 13.250.162.133...
TCP_NODELAY set
Connected to codeload.github.com (13.250.162.133) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
successfully set certificate verify locations:
CAfile: /Users/huangshanhongtao/Library/Application Support/Sublime Text 3/Packages/User/Package Control.merged-ca-bundle
CApath: none
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, Server hello (2):
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
Package Control: Error downloading package. } [5 bytes data] } [512 bytes data] } [2 bytes data] curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. downloading https://codeload.github.com/DisposaBoy/GoSublime/zip/v18.05.19.
error: Package Control

Unable to download GoSublime. Please view the console for more details.
ignored packages updated to: ["Vintage"]
reloading settings Packages/User/Package Control.sublime-settings
reloading settings Packages/User/Preferences.sublime-settings
reloading settings Packages/User/Preferences.sublime-settings

[maxwellcarl]

Thanks!!

[qijianpeng]

I managed to fix this by changing my package settings. I made my osx downloader preference curl, and it works. My preferences are below:

{
	"bootstrapped": true,
	"debug": true,
	"installed_packages":
	[
		"Package Control"
	],
	"downloader_precedence":
	{
		"linux": [ "curl", "urllib",    "wget" ],
		"osx": [ "curl", "urllib" ],
		"windows": [ "wininet" ]
	},
}

I'm in the process of debugging the python. It looks like it's an error with the way the new urllib is behaving with regards to SSL/HTTPS.

If I had to guess I'd say that it was a problem with the script not running as root, and perhaps not being able to read from the CA file, or write the new ones to it.

THX!!

[danielricecodes]

@jonluca Thanks again for your solution.

For anyone else that stumbles here (like myself) I had to use wget as the downloader program in order for it to work on Mac Sierra 10.12.4.

NOTE: An important distinction to highlight here is to make sure you override the downloader precedence setting in the Package Control User settings file.

See attached image for clarity.

Brilliant. It would be great if @jonluca could update his reply to clarify this. I edited my personal settings to no effect - but once I changed the Package Control settings and saved the issue resolved itself immediately.

[hieonn]

I managed to fix this by changing my package settings. I made my osx downloader preference curl, and it works. My preferences are below:

{
	"bootstrapped": true,
	"debug": true,
	"installed_packages":
	[
		"Package Control"
	],
	"downloader_precedence":
	{
		"linux": [ "curl", "urllib",    "wget" ],
		"osx": [ "curl", "urllib" ],
		"windows": [ "wininet" ]
	},
}

Note:

@jonluca Thanks again for your solution.
For anyone else that stumbles here (like myself) I had to use wget as the downloader program in order for it to work on Mac Sierra 10.12.4.
NOTE: An important distinction to highlight here is to make sure you override the downloader precedence setting in the Package Control User settings file.
See attached image for clarity.

I'm in the process of debugging the python. It looks like it's an error with the way the new urllib is behaving with regards to SSL/HTTPS.

If I had to guess I'd say that it was a problem with the script not running as root, and perhaps not being able to read from the CA file, or write the new ones to it.

You saved my day! thanks!

[LandisTwo]

fyi,
fixed with curl. see: similar issue

[MingfeiPan]

awesome, fixed with curl setting