-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to download files, certificate verify failed #1856
Comments
Okay, I stumbled upon an environment variable, RUSTUP_USE_CURL, that appears to not do the SSL certificate checking. It would've been much nicer if a reliable workaround for corporate environments were mentioned somewhere on the install page for rust. |
We have been around on this topic before. Currently we have no intention to add to That Do you have problems with your browser every time you visit an https webpage, or does your computer have a stored CA certificate for your company's MITM device? |
It causes problems on enough websites using https that it’s the first thing to blame when I see an error with ssl certificates, though other https webpages work. Mentioning in a FAQ on the installation page the curl backend as a workaround if there are certificate errors using the default reqwest backend would’ve been nice. If it’s because it does a better job finding certificates, then as a user I don’t care that I’m using a backend that is deprecated — I just want some quick troubleshooting options to try with the installer so that I can get a working install of rust. I was kind of surprised that installing with apt also required fetching a toolchain (ssl cert issues too) to get a working copy of the rust installer — I was hoping the apt package would be an easy alternative (basically the same as the offline installer, but with apt for updates). |
See, I wouldn't want to mention that in the readme explicitly because we're hoping to remove the cURL backend over time, so encouraging people to use it would be counterproductive. What we need to do is determine where the certificates are being stored and thusly why reqwest isn't finding them. Regarding the use of |
The version of cargo and rustc you get via |
Actually, it looks like I might have been wrong about RUSTUP_USE_CURL=1 working; I noticed today that running The copy of rustc I'm using was installed with |
So it sounds like you're expecting Either uninstall rustup ( Regarding the insecure-SSL stuff, we have another issue where we're thinking about this (#1542 and the associated PR #1624) but we're not inclined to support breaking the SSL security constraints unless Cargo opts to do so first. |
I had the same issue today. Adding Zscaler Root CA cert (used by rust sites) solved the issue. |
@Bharath-KKB Hey, can you explain what all you did? |
The exact steps depend on the OS you are using so follow the instructions for your OS. Basically what you need to do is save the Zscaler Root CA cert (from say your browser on windows) and add it to your truststore. For eg. to add on ubuntu/debian systems: I have not done these for a few months (I only do these when I need to upgrade software). But you need to look out if the intermediate CA certs are valid.. Usually the root CA cert is valid for longer periods(few years typically) but the intermediate certs issuing these certs for me are valid for 2 or 3 weeks . Somehow the cert chains don't work so had to import these regularly. |
I really struggled with actually getting the certificate. My advise for figuring this out is to to go to an https://google.com on your corp network on chrome and click the little lock next to the URL. Click the "connection is secure" tab -> "certificate is valid" -> details. The top certificate is your companies self-signed certificate chrome will export it correctly (I tried for hours with openssl to extract this certificate but failed.) Verify for the Certificate manually. Than export the highest most certificate. Now I was using ubuntu WSL so you can do the following assuming you cert is call company_cert.cer openssl x509 -in company_cert.cer -inform der -text -out company_cert.crt ; this is text verification
# sudo cp company_cert.crt /users/local/shared/ca-certificates/
# sudo update-ca-certificates After that rustup should work. This Is mostly a SSL problem not a rustup problem but the information on actually find the cert and than also installing it via ca-certs is not in one place. If someone knows how to extract the certificate via openssl that would be a better fix because I assume you have chrome |
I have a similar problem on Debian stable. I'm not sure if it's connected, but one thing I remember doing recently that could be related is I put a few more details in https://users.rust-lang.org/t/rustup-update-fails-with-a-certificate-error-but-curl-works/92551/1. |
@ilyagr do you have the certificate correctly in place? see e.g. #1856 (comment) What version of rustup do you have? |
I can try that (exporting a certificate from my browser). It's a confusing operation. Also, is it relevant for non-corporate networks? When I follow those instructions to find a root CA I find something generic. In firefox for google.com, I have a "GTS Root R1" certificate and a "GlobalSign Root CA" certificate. As I said,
rustup 1.25.2 (17db695 2023-02-01) This is running on Debian stable on Chrome OS. (I'm not sure if the certificate store in Chrome OS's linux is connected to the certificate score in Chrome OS itself) Update: One thing I noticed that might be relevant is that the certificate on static.rust-lang.org was issued on Thursday, February 23, 2023, and so is newer than my version of I can also copy the exact message from the forum post I linked:
|
It seems that updating to the recently released rustup 1.26 via That is, now rustup works even without I wouldn't be surprised if the problem reoccurs the next time the certificate for |
I ran into this problem today on rustup 1.26 (worked fine yesterday), using Uninstalling rustup ( |
In windows 11, I got this error when running
I knew it was most likely an SSL error under the hood, but setting this environment variable solved the issue :
Just execute it in the terminal, and run the |
@ayoubachak As for Rustup v1.27.0, the default download/TLS backend combination is Does setting In fact, we are currently investigating issues regarding different download/TLS backends:
Originally posted by @djc in #3788 (comment) |
I didn't try changing |
@ayoubachak So you mean this issue is not quite reproducible? That's the very problem that we are facing right now 🤦♀️ Thanks anyway! |
I'm on a Windows 10 laptop behind a corporate firewall (Zscaler). I did |
In the upcoming release, rustls is the default so hopefully this will improve soon. |
Problem
Rustup has no option to disable certificate checking. The place I work at has networking hardware in place that basically breaks SSL. I've tried adding --no-check-certificate and --insecure to the curl/wget commands in the "easy" rustup-init.sh script, but then the rustup command fails due to the same SSL certificate validation errors. A no-nonsense get.
Steps
Possible Solution(s)
Add a command line argument that bypasses the SSL certificate check. I've seen the other issues saying to add certificates to the ca cert folder, but there is no certificate available to add to the cert store.
Notes
Adding a command line argument to disable checking certificates is the simplest solution for a user in a restrictive corporate network that just wants a way to get a functional install of rust. It should not be as painful as it currently is; this is a useability bug, that makes for a very bad user experience when your computer is on a corporate network.
The text was updated successfully, but these errors were encountered: