Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test_byterange.sh fails with BADCERT_NOT_TRUSTED #2407

Open
Alexander-Barth opened this issue Jun 17, 2022 · 4 comments
Open

test_byterange.sh fails with BADCERT_NOT_TRUSTED #2407

Alexander-Barth opened this issue Jun 17, 2022 · 4 comments

Comments

@Alexander-Barth
Copy link
Contributor

  • the version of the software with which you are encountering an issue

NetCDF 4.9.0

  • environmental information (i.e. Operating System, compiler info, java version, python version, etc.)

Linux, x86_64-linux-gnu-gcc (GCC) 4.8.5 (no cross-compilation this time)

  • a description of the issue with the steps needed to reproduce it

Build steps:

./configure --prefix=/workspace/destdir --build=x86_64-linux-musl --host=x86_64-linux-gnu \
   --enable-shared --disable-static --disable-dap-remote-tests --enable-byterange

When activating byte range support the ./test_byterange.sh tests fails with

curlcode: (60)SSL peer certificate or SSH remote key was not OK : Cert verify failed: BADCERT_NOT_TRUSTED
/workspace/srcdir/netcdf-c-4.9.0/ncdump/.libs/lt-ncdump: https://thredds-test.unidata.ucar.edu/thredds/fileServer/pointData/cf_dsg/example/point.nc#mode=bytes&aws.profile=none: NetCDF: libcurl failure
test_http: -k flag mismatch: expected=classic have=

This is related to issue #2337 but not necessarily a duplicate since I have defined a .ncrc file with a HTTP.SSL.CAINFO in /workspace/srcdir/netcdf-c-4.9.0/nc_test/.ncrc and /root/.ncrc:

# cat /root/.ncrc
HTTP.SSL.CAINFO=/etc/ssl/certs/ca-certificates.crt

# ls -lh /etc/ssl/certs/ca-certificates.crt
-r--r--r--    1 root     root      198.5K May  3 11:15 /etc/ssl/certs/ca-certificates.crt

# echo $HOME
/root

But if I hard code CURLOPT_CAINFO in dhttp.c, the first test with the url (https://thredds-test.unidata.ucar.edu/thredds/fileServer/pointData/cf_dsg/example/point.nc#mod e=bytes&aws.profile=none) passes.

--- /home/abarth/src/netcdf-c/libdispatch/dhttp.c	2022-06-14 10:20:57.826005241 +0200
+++ dhttp.c	2022-06-17 12:17:05.236041079 +0200
@@ -509,6 +509,8 @@
         (void)CURLERR(curl_easy_setopt(state->curl, CURLOPT_READDATA, NULL));
     }
 
+    (void)CURLERR(curl_easy_setopt(state->curl, CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt"));
+    
     /* Do method specific actions */
     switch(state->request.method) {
     case HTTPPUT:

Could it be that the byte range support of NetCDF does not use HTTP.SSL.CAINFO ?

Unfortunately, there are even with this change other failures later on in ./test_byterange.sh:

/workspace/srcdir/netcdf-c-4.9.0/ncdump/.libs/lt-ncdump: https://thredds-test.unidata.ucar.edu/thredds/fileServer/irma/metar/files/METAR_20170910_0000.nc#bytes&aws.profile=none: NetCDF: HDF error

I am wondering if the HDF5 layer needs to be made aware of HTTP.SSL.CAINFO too.
@DennisHeimbigner
Copy link
Collaborator

The byterange driver I use is home-made because HDF5 does not
directly support it (AFAIK, I should recheck). So I will modify
our local code to explicitly set CAINFO from .rc tables.
I will post the modified code here for you to test.

DennisHeimbigner added a commit to DennisHeimbigner/netcdf-c that referenced this issue Jun 17, 2022
@DennisHeimbigner
Make public a limited API for programmatic access to internal .rc tables
aabbdbf 
re: Unidata#2337
re: Unidata#2407

Add two functions to netcdf.h to allow programs to get/set
selected entries into the internal .rc tables. This should fix
the above issues by allowing HTTP.CAINFO to be set to the
certificates directory.  Note that the changes should be
performed as early as possible in the program because some of
the .rc table entries may get cached internally and changing the
entry after that caching occurs may have no effect.

The new signatures are as follows:

1. Get the value of a simple .rc entry of the form "key=value".
Note that caller must free the returned value, which might be NULL.
````
char* nc_rc_get(char* const * key);

@param key table entry key
@return value if .rc table has entry of the form key=value
@return NULL if no such entry is found.
````

2. Insert/Overwrite the specified key=value pair in the .rc table.
````
int nc_rc_set(const char* key, const char* value);

@param key table entry key -- may not be NULL
@param value table entry value -- may not be NULL
@return NC_NOERR if no error
@return NC_EINVAL if error
````

Addendum:

re: Unidata#2407

Modify dhttp.c to use the .rc entry HTTP.CAINFO if defined.
@DennisHeimbigner DennisHeimbigner mentioned this issue Jun 17, 2022
Merged
@DennisHeimbigner
Copy link
Collaborator

PR #2408 should fix this,
assuming you set HTTP.CAINFO

@DennisHeimbigner
Copy link
Collaborator

This PR may fix this problem: #2408

@WardF
Copy link
Member

WardF commented Jun 21, 2022

#2408 is merged, now.

@abhibaruah abhibaruah mentioned this issue Sep 7, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DennisHeimbigner @WardF @Alexander-Barth