SSL_CERT_FILE causes SSL certificate errors with other tools

[lilyball]

I tried to install something with Homebrew today (a package that is out of date on Nix) and it failed with the following error:

curl: (51) SSL: certificate verification failed (result: 5)

Digging into this, it's trying to download a file using curl that, after redirects, ends up fetching a URL like

https://akamai.bintray.com/5c/5ce4e36ed803d7ee2863b8a84b2123fb29f34e02e7c2f908284bb24408f94a65?__gda__=exp=1464730847~hmac=bfe122e8b6bcbf8d01952ab997861ac1fed2434aceccc74cf5c356ad107a1481&response-content-disposition=attachment%3Bfilename%3D%22git-lfs-1.2.0.el_capitan.bottle.tar.gz%22&response-content-type=application%2Fgzip

(I assume this URL is not permanent)

The fetch for this resource is what triggers the certificate verification failure. Unsetting $SSL_CERT_FILE fixes the issue. My assumption here is that the root certificate for that server isn't included in Nix's ca-bundle.crt, though I don't know why that would be.

This is with Nix 1.11.2 on OS X 10.11.5.

[domenkozar]

Can you print the value of SSL_CERT_FILE?

[lilyball]

> echo $SSL_CERT_FILE
/Users/kevinballard/.nix-profile/etc/ssl/certs/ca-bundle.crt

[lilyball]

I just hit this again with the trivial case curl https://google.com.

[mkhl]

The cause seems to be that the nix CA bundle requires a curl with OpenSSL support, which (current) builtin versions don’t have.

> /usr/bin/curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5 

I worked around this using more Homebrew:

> brew install curl --with-openssl
> brew link --force curl
> /usr/local/bin/curl --version
curl 7.49.1 (x86_64-apple-darwin15.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5

That version works, but Homebrew won’t use it unless I also patch /usr/local/Library/brew.sh to set HOMEBREW_CURL to it (or to comment it out and set it in my shell config).

I assume a similar workaround can work by installing curl from nix, but I haven’t checked yet.

[copumpkin]

This seems kind of bad and off-putting for new OSX users. Is anyone looking into it?

[copumpkin]

Might be good to start using tags in this repo and let more of us tag issues. Would be good for those of us wanting to improve the darwin experience to track down darwin-specific pain.

[bhmiller]

I just wasted ~30 min on this bug; please fix!

[petemoore]

I also hit this today. 😭

Any brew install command on my host would fail with:

curl: (51) SSL: certificate verification failed (result: 5)

I finally tracked it down to the SSL_CERT_FILE environment variable setting, which was being set indirectly by the following line in my .profile which had been added by the Nix installer:

if [ -e /Users/pmoore/.nix-profile/etc/profile.d/nix.sh ]; then . /Users/pmoore/.nix-profile/etc/profile.d/nix.sh; fi # added by Nix installer

Here are some other issues which appear to be related to (or a duplicate of) this:

• nix-shell should preserve SSL_CERT_FILE #853
• SSL certificates: figure out how libs/apps find them by default nixpkgs#8247
• SSL_CERT_FILE should be in systemd.globalEnvironment (See #8247 instead) nixpkgs#8486
• curl doesn't work in nix-shell because of $SSL_CERT_FILE=/no-cert-file.crt default nixpkgs#13744

Unsetting SSL_CERT_FILE resolved the issue for me.

[petemoore]

@layus FYI - thanks! 😄

[domenkozar]

So if I understand correctly, Nix CA requires curl with OpenSSL built, but the default curl on OSX doesn't have that.

What are the options here? I don't have a darwin platform, but would love to help this getting fixed.

[petemoore]

Thanks @domenkozar for helping out. 👍

I suspect now the problem might be that the cacerts file I had on my machine at the time I installed nix was invalid...

I installed curl via homebrew and get the same problem when using the cacerts file that nix was pointing to, and I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

Here is a demo of the problem I have when using the a cacerts file:

First I download the latest version of the file in pem format:

pmoore@Petes-iMac:~ $ curl -L https://curl.haxx.se/ca/cacert.pem > ~/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  244k  100  244k    0     0   252k      0 --:--:-- --:--:-- --:--:--  252k

Next I try to use it with a curl command:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl --cacert ~/cacert.pem -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
curl: (51) SSL: certificate verification failed (result: 5)

Now I use curl without specifying a cacert file, and problem goes away:

pmoore@Petes-iMac:~ $ /usr/local/Cellar/curl/7.50.1/bin/curl -I https://storage.googleapis.com/golang/go1.7.src.tar.gz
HTTP/1.1 200 OK
X-GUploader-UploadID: AEnB2Up4se5f2ui1T_LnBvu_vQfEMh6RtBVrT2mPuVpnC6STOQHN1nOsRdSsvs3aJo9TDrL5M2McVm29XvXGoKCWW2U4fw2g3A
Expires: Mon, 22 Aug 2016 20:59:49 GMT
Date: Mon, 22 Aug 2016 19:59:49 GMT
Cache-Control: public, max-age=3600
Last-Modified: Mon, 15 Aug 2016 23:20:30 GMT
ETag: "a30c3bd1a7fcc6a48acfb74936a19b4c"
x-goog-generation: 1471303230615000
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 14091954
Content-Type: application/x-gzip
x-goog-hash: crc32c=B1onUw==
x-goog-hash: md5=oww70af8xqSKz7dJNqGbTA==
x-goog-storage-class: STANDARD
Accept-Ranges: bytes
Content-Length: 14091954
Server: UploadServer
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="35,34,33,32,31,30"

And now, to show the format of the cacert file:

pmoore@Petes-iMac:~ $ head -30 ~/cacert.pem 
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Wed Apr 20 03:12:05 2016
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 5df367cda83086392e1acdf22bfef00c48d5eba6
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

The curl version I am using above is /usr/local/Cellar/curl/7.50.1/bin/curl which is the version installed by homebrew, rather than the native apple version.

I'm wondering now if the problem is that I shouldn't use this file, but some adapted version of it, and maybe when I installed nix I referred to (an older version of) this file, and the mistake was made then (I don't remember where that file came from, if it was shipped with nix, or if I had my own version etc).

Thanks @domenkozar for any ideas you might have!

[petemoore]

Note, the version that my nix installation was pointing to was a bit older (see below - from Nov 9 last year). In my demonstration above, I was just trying with the latest version of the file, in case that might have fixed things (which it didn't).

Also when I was using brew to install things originally, or using curl directly, I was not explicitly specifying --cacert. Above I used this command line option to demonstrate that the problem occurs also when using --cacert, like it does when having environment variable SSL_CERT_FILE pointing to the file.

pmoore@Petes-iMac:~ $ head -30 /Users/pmoore/.nix-profile/etc/ssl/certs/ca-bundle.crt
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Mon Nov  9 05:12:59 2015
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## file:///private/var/tmp/nix-build-nss-cacert-3.21.drv-0/nss-3.21/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.25.
## SHA1: 0ab47e2f41518f8d223eab517cb799e5b071231e
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
pmoore@Petes-iMac:~ $ 

[mkhl]

I suspect the brew version of curl should work with OpenSSL as it has it as a dependency.

It has OpenSSL as an optional dependency, which is used if you install it with --with-openssl.

You can check whether your version uses OpenSSL by checking the output of curl --version | head -n1. On my system:

> /usr/bin/curl --version | head -n1
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
> /usr/local/opt/curl/bin/curl --version | head -n1
curl 7.50.1 (x86_64-apple-darwin15.6.0) libcurl/7.50.1 OpenSSL/1.0.2h zlib/1.2.5