Error: Peer certificate cannot be authenticated with given CA certificates

[mmistakes]

I'm going to go ahead and assume this is an upstream issue with cURL or libcurl on Windows, but figured I'd flag this here in case it's not.

I ran into this doing a test build on a Windows 7 64bit box.

Steps to reproduce on Windows.

1. Clone this repo
2. bundle install
3. bundle exec jekyll build

Here's the verbose output:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

E:\Users\Michael.Rose\Documents\Repositories\mm-remote-theme-test>bundle exec jekyll build --verbose
  Logging at level: debug
Configuration file: E:/Users/Michael.Rose/Documents/Repositories/mm-remote-theme-test/_config.yml
      GitHub Pages: github-pages v168
      GitHub Pages: jekyll v3.6.2
         Requiring: jekyll-seo-tag
         Requiring: jekyll-github-metadata
Dotenv not found. Skipping
         Requiring: jekyll-paginate
         Requiring: jekyll-sitemap
         Requiring: jekyll-gist
         Requiring: jekyll-feed
         Requiring: jemoji
         Requiring: jekyll-remote-theme
         Requiring: jekyll-coffeescript
         Requiring: jekyll-github-metadata
         Requiring: jekyll-relative-links
         Requiring: jekyll-optional-front-matter
         Requiring: jekyll-readme-index
         Requiring: jekyll-default-layout
         Requiring: jekyll-titles-from-headings
         Requiring: kramdown
   GitHub Metadata: Initializing...
            Source: E:/Users/Michael.Rose/Documents/Repositories/mm-remote-theme-test
       Destination: E:/Users/Michael.Rose/Documents/Repositories/mm-remote-theme-test/_site
 Incremental build: disabled. Enable with --incremental
      Generating...
      Remote Theme: Using theme mmistakes/minimal-mistakes
      Remote Theme: Downloading https://codeload.github.com/mmistakes/minimal-mistakes/zip/master to E:/Users/MICHAE~1.ROS/AppData/Local/Temp/jekyll-remote-theme-20171109-11884-1vg93xx.zip
ETHON: Libcurl initialized
Hostname was NOT found in DNS cache
Adding handle: conn: 0x3bfa2a0
Adding handle: send: 0
Adding handle: recv: 0
Curl_addHandleToPipeline: length: 1
- Conn 0 (0x3bfa2a0) send_pipe: 1, recv_pipe: 0
  Trying 192.30.253.120...
Connected to codeload.github.com (192.30.253.120) port 443 (#0)
SSLv3, TLS Unknown, Unknown (22):
▬♥☺☻ SSLv3, TLS handshake, Client hello (1):
☺ ☺�♥♥�r↓L]6с�g�♂�a�¶��♫�h♥↑�ϰ~ ^♂N       ��0�,�(�$�¶�
�♥ � � � k j i h 9 8 7 6 � � � ��2�.�*�&�☼�♣ � = 5 ��/�+�'�#�‼�  � � � � g @ ? > 3 2 1 0 � � � � E D C B�1�-�)�%�♫�♦ � < / � A �◄��♀�☻ ♣ ♦�↕ ▬ ‼ ►
 �☺ ☺'   ↑ ▬  ‼codeload.github.com ♂ ♦♥ ☺☻
 ♂ ♀     ∟ ← ↑ → ▬ ♫
   ▲♠☺♠☻♠♥♣☺♣☻♣♥♦☺♦☻♦♥♥☺♥☻♥♥☻☺☻☻☻♥ ☼ ☺☺ § �
                    SSLv2, Unknown (22):
▬♥♥ ]SSLv3, TLS handshake, Server hello (2):
☻  Y♥♥¶%1�☼drh�xm[[��→K��\!♀⌂�↔�6~(^� �C8��:1♥D��r��**%|~2(גUe�ȻF6���/  ◄�☺ ☺      ♂ ♦♥ ☺☻SSLv2, Unknown (22):
▬♥♥♀‼SSLv3, TLS handshake, CERT (11):
☺☺♂♣ 0p1♂0      ♠♥U♦♠‼☻US1§0‼♠♥U♦
200417120000Z0h1♂0      ♠♥U♦♠‼☻US1‼0◄♠♥‼♦1/0-♠♥U♦♥‼&DigiCert SHA2 High Assurance Server CA0▲↨
San Francisco1§0‼♠♥U♦
☺☺☺♣ ♥�☺☼ 0�☺.1§0‼♠♥U♦♥♀♀*.github.com0�☺"0
☻�☺☺ ���0I-�↕�♀♀��px~♣k���U6�i�♦_���NR�HC§T�
��kφ��>↓�]މ�e☻♥☺ ☺��♥�0�♥�0▼♠♥U↔#♦↑0▬�¶Qh���☻u<��edb�↕�Yr;0↔♠♥U↔♫♦▬♦¶�aR���¶t�姮��,�l��������←��|2�<��▼F�����g+§�ʏp*\�j� JCa}Z♦♀��"�w�6o% ♦>/�☻fx↔��`�`
@�� �07$��lj�0#♠♥U↔◄♦∟0→�♀*.github.com�
github.com0♫♠♥U↔☼☺☺�♦♦♥☻♣�0↔♠♥U↔%♦▬0+♠☺♣♣♥☺+♠☺♣♣♥☻0u♠♥U↔▼♦n0l04�2�0�.http://crl3.digicert.com/sha2-ha-server-g5.crl04�2�0�.http://crl4.digicert.com/sha2-ha-server-g5.crl0L♠♥U↔ ♦E0C07♠ `�H☺��l☺☺0*0(+♠☺♣♣☻☺▬∟https://www.digicert.com/CPS♠♠g�♀☺☻☻0��+♠☺♣♣☺☺♦w0u0$+♠☺♣♣0☺�↑http://ocsp.digicert.com0M+♠☺♣♣0☻�Ahttp://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0♀♠♥U↔‼☺☺�♦☻0 0�☺�♠
+♠☺♦☺�y☻♦☻♦�☺�♦�☺�☺� u ��       ��↑X¶��‼��gp
�►  ☺Y��>K  ♦♥ F0D☻ ▲�♫�ѵSGV�)>��A]4♠�����27��w�♠B☻ ♥�▲*(��g◄:→�4>��§V��H�L�↕�B↑X� v V¶♠�/������D�>�Fv���◄\�U։��  ☺Y��?∟  ♦♥ G0E☻ $�i��(��-|����Eʊǂ�]�� ,T∟�ھ←�☻! �%���e�ܠ�b���♥%�K-~I�1W��V�.�W u �K��u�`��Bi▼��f�☼~_�r؃ �{�z���  ☺Y��@.  ♦♥ F0D☻ r��♫Ho3D↑��6f�p�ܹD�▲��&�4x&\���☻ F↑��iՔn;�Z [ՙđ��_�Ͷ♠��Xߢ$� v ��߼▼�q���#���{G8W�
☺☺♂♣ 0l1♂0      ♠♥U♦♠‼☻US1§0‼♠♥U♦_FD¥���V⌂6߬��n�4Y�¶��◄����!}y&(R��+���Du)∟�,��♥♫����ϵ����*���OY��͚☼����3�1n�x(�˕⌂)� ♦�0�♦�0�♥��♥☻☺☻☻►♦���\��m�+B�]§�0
281022120000Z0p1♂0      ♠♥U♦♠‼☻US1§0‼♠♥U♦1+0)♠♥U♦♥‼"DigiCert High Assurance EV Root CA0▲↨
☺☺☺♣ ♥�☺☼ 0�☺c1↓0↨♠♥U♦♂‼►www.digicert.com1/0-♠♥U♦♥‼&DigiCert SHA2 High Assurance Server CA0�☺"0
☻�☺☺ ��/�$♠�m♦_��
x�{�^q�J���▬▬��#↕M��u����↨�▲D5e⌂S%9�∟�♂@���;r�¶�◄���ȸC:�♂♂�Օ�@��↔�M�_W��Ph������♣▼���ܤ���-ƭ���↓���☼^DX*7��5�'2Z������Q�'��;B3�♣(Ļ(̚�+#
�c←↓�th
7��RH�9Z���]�ݠ �!��&o¶J!A��m��H/�♥��h�S/^�☻♥☺ ☺��☺I0�☺E0↕♠♥U↔‼☺☺�0♠☺☺�☻☺ 0♫♠♥U↔☼☺☺�♦♦♥☻☺�0↔♠♥U↔%♦▬0+♠☺♣♣♥+♠☺♣♣♥☻0+♠☺♣♣☺☺♦(0&0$+♠☺♣♣0☺�↑http://ocsp.digicert.com0K♠♥U↔▼♦D0B0@�>�<�:http://crl4.digicert.com/Di☺☺♂♣ ♥�☺☺ ↑���♥�m�\�↔h�J���Q/�kD▬��c��nl�����q�[�4N��y�)�-�j� �y��♥G‼����Yq}�♦�k�YX=��1%\↑8��柂��[�1N�x�→���I��'��r�>��A♂��6��∟nGI⌂^�H|♥���I��&B@�֒◄�d�0
WT��↔�☻^k��Ā�↕r�V����0�♠0�♂⌂N�W♣�$��+��u��-▬�}y'���♂ꪅ�☺� (AYC(ҁ���{;w�@b�♣AE☺�↨♠>��3�g�a.r��i�↕ W@▲p�▲ɴSSLv2, Unknown (21):
§♥♥ ☻SSLv3, TLS alert, Server hello (2):
☻0SSL certificate problem: unable to get local issuer certificate
Closing connection 0
SSLv2, Unknown (21):
§♥♥ ☻SSLv3, TLS alert, Client hello (1):
☺ ETHON: performed EASY effective_url=https://codeload.github.com/mmistakes/minimal-mistakes/zip/master response_code=0 return_code=ssl_cacert total_time=2.589
jekyll 3.6.2 | Error:  Peer certificate cannot be authenticated with given CA certificates

From the looks of it its a CA certificate issue. I've tried everything I could find related to libcurl and SSL certs and none of them seemed to work.

Refs: http://blog.cloud-mes.com/2014/08/19/how-to-install-gem-curb-in-windows/, taf2/curb#37, taf2/curb#183

I've notice similar issues with Typhoeus/libcurl when trying to get html-proofer up and running. That gem seems to be unaffected by this so not entirely sure what the issue is, other than Windows being notoriously hard to get libcurl installed properly.

[benbalter]

@mmistakes Thanks for the detailed bug report. I believe SSL certificate problem: unable to get local issuer certificate is likely the relevant error in that cURL can't find the local cert.

We could provide an option to disable SSL verification, but ideally we'd get cURL to authenticate.

Have you tried setting CURL_CA_BUNDLE and SSL_CERT_FILE file environmental variables prior to building?

[mmistakes]

@benbalter Thanks for the quick reply.

I've tried setting both of those environment variables but still get similar results. I can't tell if the certificates are the problem or if it's something else. Using the instructions on cURL's site I downloaded cacert.pem and set that location in my variables.

About the only difference it makes is spitting out errors like this a ton:

↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):
↨♥♥♣rSSLv2, Unknown (23):

Feels like the certificate might be the problem but to my eye it seems valid.

[mmistakes]

Digging deeper I tried using just cURL and it pulled down the .zip no problem.

> curl -I --verbose https://codeload.github.com/mmistakes/minimal-mistakes/zip/master

*   Trying 192.30.253.121...
* Connected to codeload.github.com (192.30.253.121) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\Program Files\cURL\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*        subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*        start date: Jan 18 00:00:00 2017 GMT
*        expire date: Apr 17 12:00:00 2020 GMT
*        subjectAltName: codeload.github.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*        SSL certificate verify ok.
> HEAD /mmistakes/minimal-mistakes/zip/master HTTP/1.1
> Host: codeload.github.com
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Length: 23555179
Content-Length: 23555179
< Access-Control-Allow-Origin: https://render.githubusercontent.com
Access-Control-Allow-Origin: https://render.githubusercontent.com
< Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< Vary: Authorization,Accept-Encoding
Vary: Authorization,Accept-Encoding
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Frame-Options: deny
X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< ETag: "6ca184b4539d299d2ee9df0b88aac1a24eca38d5"
ETag: "6ca184b4539d299d2ee9df0b88aac1a24eca38d5"
< Content-Type: application/zip
Content-Type: application/zip
< Content-Disposition: attachment; filename=minimal-mistakes-master.zip
Content-Disposition: attachment; filename=minimal-mistakes-master.zip
< X-Geo-Block-List:
X-Geo-Block-List:
< Date: Fri, 10 Nov 2017 20:10:47 GMT
Date: Fri, 10 Nov 2017 20:10:47 GMT
< X-GitHub-Request-Id: EF94:0A07:163D29:2077FF:5A0607C7
X-GitHub-Request-Id: EF94:0A07:163D29:2077FF:5A0607C7

Seems like libcurl in my Ruby environment might be the issue. So going to investigate further there.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[caityp]

@mmistakes were you able to resolve this issue? I am running in the the same error

jekyll 3.6.2 | Error: Peer certificate cannot be authenticated with given CA certificates

trying to run bundle exec jekyll serve on my Windows 10 os.

[mmistakes]

@caityp Nope, never solved it. At one point when the remote theme gem was first released it worked for me on Windows. Then I made the mistake of updating my Ruby environment to 2.4 and never got it to work again.

RubyInstaller changed the development kit to MSYS2 so I have no idea if that's to blame or what. I even tried reinstalling older 2.3 versions to no avail.

I eventually gave up as Windows isn't my primary device... I only use it for testing some themes I develop so it's more of a nuisance than a deal breaking.

[jengalas]

@caityp I had the same problem with remote-theme and never solved it. I ended up switching to the gem version of the minimal mistakes theme (if that's what you're using you might be able to do the same) and now I host on Netlify.

[caityp]

@mmistakes and @jengalas, Good to know! I am using the github pages version of the so simple theme in Ruby 2.4, so maybe i'll try switching to the gem and check out Netlify. Thanks for the ideas.

[wilsoncg]

@mmistakes @benbalter @jengalas @caityp
It looks like the windows build of libcurl.dll is built with OpenSSL, which doesn't play nicely with windows and can't find the ca-cert-bundle.crt file. http://www.rubydoc.info/gems/ethon/0.5.0/Ethon/Easy

I found a build of libcurl for windows which is built with WinSSL. This uses the windows CA certificate store, so all one has to do is install the bundle into the windows cert store and libcurl/jekyll-remote-theme will happily connect to github over https.

Hope that helps.

[swcurran]

Looks like I'm going down the same path and have the same issue on Windows 10. I originally had the "couldn't find libcurl.dll" (#18) and found a libcurl.dll from another solution/site (which I'm super uncomfortable with). But I'm now hitting this issue Certification issue and not getting anywhere. I tried the same curl download from above and it also worked for me.

[benbalter]

Version 0.3.0 uses Ruby's native Net:HTTP, instead of Typhoeus (Libcurl), which may alleviate this issue.

[swcurran]

I switched to using Windows Subsystem for Linux (WSL) for my Jeykll work and all good. Using just git bash and the Ruby environment seems to be the challenge, and adding lots to it - msys2, curl, and so on, did not seem to solve the entire set of challenges. Moving on... :-)

[caityp]

@benbalter using version 0.3.0 of jekyll-remote-theme did resolve the issue for me!

[swcurran]

Working for me as well now. Thanks for the note @caityp.

Wish that had been released a few days ago - cost me some time :-), but all good now. Good to have the Windows Subsystem for Linux fallback. Thinking of redoing my machine to have all code related things based on WSL instead of the combination I have now. Would probably be more consistent.