SSL peer cerficate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate) in Rust - Cargo.

[rodrgz]

I was trying to install some packages with cargo and I found this error:
SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)
when cargo was trying to download from crates.io, so then the build failed.

I also tried installing some rust packages from community repo and I found the same error. I ran /etc/ssl/update-certdata.sh and the issue continued.

[dylanaraps]

I cannot reproduce this issue.

• Do other websites work on your machine?
• When did this start happening? Did it work before?
• Is there any other information that may help?

[rodrgz]

I cannot reproduce this issue.

* Do other websites work on your machine?

* When did this start happening? Did it work before?

* Is there any other information that may help?

Yes, other websites works normally.
I've been trying kiss linux in the last 5 days, I installed it on a virtual machine and on my laptop, so I have not tried other versions of the repo that is not the current.
Yes, today I chrooted a new vm, update kiss and reproduce the same issue with rust and openssl... Then I downgraded openssl to 1.1.1l 2 (commit a2e2958) and recompile rust, then the issue disappeared.

ps. Fedora 35 and Arch are using 1.1.1.l

[dylanaraps]

Please send exact error output from cargo/rust (whatever is spitting it out).

[git-bruh]

'export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem' should fix it, not sure why it's having trouble locating the certs. https://doc.rust-lang.org/cargo/reference/config.html#httpcainfo. Error: https://termbin.com/fa9g, strace: https://termbin.com/qg5t

[rodrgz]

export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem

It's works.

[git-bruh]

I think the issue should be left open since what I posted was just a workaround

[dylanaraps]

'export CARGO_HTTP_CAINFO=/etc/ssl/cert.pem' should fix it, not sure why it's having trouble locating the certs. https://doc.rust-lang.org/cargo/reference/config.html#httpcainfo. Error: https://termbin.com/fa9g, strace: https://termbin.com/qg5t

In your strace is seems to find the files in /etc/ but then fails anyway?

[dylanaraps]

This error seems to be coming indirectly from libcurl also(?).

[dylanaraps]

The first 2000 lines of strace output (both with CARGO_HTTP_CAINFO and without) seem to correctly find, open, read and close the /etc/ssl/cert.pem file. Interestingly in the working case the cert.pem file is opened and read from many more times. This does not occur in the broken case. Makes me think it correctly finds the certificates the first time but fails every subsequent time for some reason.

For the record, debug output from Cargo is not very helpful here.

[dylanaraps]

More oddities:

->  ltrace -e getenv cargo build
libcrypto.so.3->getenv("OPENSSL_ia32cap")                                           = nil
libcrypto.so.3->getenv("OPENSSL_CONF")                                              = nil
libcrypto.so.3->getenv("SSL_CERT_FILE")                                             = "/etc/ssl/cert.pem"
libcrypto.so.3->getenv("SSL_CERT_DIR")                                              = "/etc/ssl/certs"
libcrypto.so.3->getenv("SSL_CERT_DIR")                                              = "/etc/ssl/certs"
--- SIGCHLD (Child process status) ---
--- SIGCHLD (Child process status) ---
--- SIGCHLD (Child process status) ---
 Downloading crates ...
error: failed to download from `https://crates.io/api/v1/crates/ansi_term/0.11.0/download`

Caused by:
  [60] SSL peer certificate or SSH remote key was not OK (SSL certificate problem: unable to get local issuer certificate)```

[dylanaraps]

I have manually updated the openssl and curl crates and rebuilt rust but the issue persists. Another thing I have noticed is that cargo can correctly download the registry but not crates.

[dylanaraps]

Working on another potential fix. Will have results to share in some hours.

[echawk]

I don't know if it's related, but I get a similar issue with nim's nimble package manager. After a fresh build of nim, and attempting to run nimble, I get the following:

[ethan nim] (master)% nimble 
could not import: SSL_get_peer_certificate 

I'm using the nim package from my personal repo.

This also affects nim programs that use ssl.

Ex: (ex.nim)

import httpclient
var client = newHttpClient()
echo client.getContent("https://github.com")

And compiling with: nim -d:ssl c ex.nim results in the same output as nimble.

[dylanaraps]

Can you reproduce the issue with OpenSSL 1.1.1l?

[echawk]

I get a different error than before, now it seems like it is unable to detect the ca-certificates.

For nimble refresh --verbose:

Downloading Official package list 
     Trying https://github.com/nim-lang/packages/raw/master/packages.json 
   Warning: Could not download: No SSL/TLS CA certificates found. 
     Trying https://irclogs.nim-lang.org/packages.json 
     Trying https://nim-lang.org/nimble/packages.json 
     Error: Refresh failed 
        ... Could not download: No SSL/TLS CA certificates found. 

For ex.nim:

/usr/lib/nim/pure/httpclient.nim(557) ex
/usr/lib/nim/pure/httpclient.nim(324) getDefaultSSL
/usr/lib/nim/pure/net.nim(658) newContext
Error: unhandled exception: No SSL/TLS CA certificates found. [IOError]

It may be an error with my port.

[git-bruh]

@ehawkvu Can you try 'mkdir /etc/ssl/certs/; ln -s ../cert.pem /etc/ssl/certs/ca-certificates.crt

[echawk]

@git-bruh

Both worked (1.1.1l).

nimble:

Downloading Official package list
     Trying https://github.com/nim-lang/packages/raw/master/packages.json
    Success Package list downloaded.

[echawk]

Rebuilding nim after upgrading back to openssl 3.0.0 results in the same error as before.