volta
volta copied to clipboard
Certification issue during install
I try to install volta on a Linux Jenkins agent and sporadically I got a certification-related error.
Could you please check it?
Weird. I can’t reproduce locally, and when I check the actual cert for https://get.volta.sh
, it looks totally fine and reasonable—it's a standard LetsEncrypt cert which was issued Sept. 20 and expires December 19. I wonder if you're seeing some kind of odd caching issue on the box(es) in question?
Found this document, that could perhaps help to troubleshoot this issue https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
I got the same certification error on my mac just now.
$ curl https://get.volta.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
I got this error as well today.
macOS Mojave 10.14.6 iTerm2 Build 3.3.2
$ curl https://get.volta.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Turning off curl verification results in this error:
$ curl --insecure https://get.volta.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12319 100 12319 0 0 49865 0 --:--:-- --:--:-- --:--:-- 49874
Installing latest version of Volta ()
Checking for existing Volta installation
Fetching archive for macOS, version
curl: (22) The requested URL returned error: 404
Error: Could not download Volta version ''. See https://github.com/volta-cli/volta/releases for a list of available releases
Turning off curl verification results in this error:
$ curl --insecure https://get.volta.sh | bash % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 12319 100 12319 0 0 49865 0 --:--:-- --:--:-- --:--:-- 49874 Installing latest version of Volta () Checking for existing Volta installation Fetching archive for macOS, version curl: (22) The requested URL returned error: 404 Error: Could not download Volta version ''. See https://github.com/volta-cli/volta/releases for a list of available releases
I had this error as well. The version check inside the volta.sh
script is also a curl call, so a workaround for now is to download the script, then add -k
(or the long form, --insecure
) and run locally:
curl -k https://get.volta.sh > volta.sh
# edit volta.sh and add the `-k` option to the curl command:
# get_latest_release() {
# curl -k --silent "https://volta.sh/latest-version"
# }
chmod +x volta.sh
./volta.sh
I checked the cert with openssl, it says the certificate is verify error:num=10:certificate has expired
.
I used the following command:
openssl s_client -showcerts -servername get.volta.sh -connect get.volta.sh:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
...
@thoresuenert That's the legacy Let's Encrypt root certificate, which expired on September 30. The link posted above — https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ — Has more info on resolving the issue. This is an issue with the Let's Encrypt certificate chain and OpenSSL 1.0.2, not specific to Volta, so likely will apply to any site you connect to using OpenSSL using those certificates (however that usually means using cURL or similar, so there probably aren't a ton of those on a regular basis).
Another solution, suggested by Let's Encrypt themselves — https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ — is to upgrade to OpenSSL 1.1.0 or greater.
What about the third workaround proposed at https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ ?
Configure the server to use the alternative certificate chain which can be requested from Let’s Encrypt with most up-to-date ACME protocol clients. This chain does not contain the ISRG Root X1 cross-signed by the soon to be expired DST Root CA X3 and thus any OpenSSL 1.0.2 clients will not be misled by this expired path.
It would require no action from client side.
@thoresuenert That's the legacy Let's Encrypt root certificate, which expired on September 30. The link posted above — https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ — Has more info on resolving the issue. This is an issue with the Let's Encrypt certificate chain and OpenSSL 1.0.2, not specific to Volta, so likely will apply to any site you connect to using OpenSSL using those certificates (however that usually means using cURL or similar, so there probably aren't a ton of those on a regular basis).
Another solution, suggested by Let's Encrypt themselves — https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ — is to upgrade to OpenSSL 1.1.0 or greater.
Hi, I'd like to suggest adopting this to other engineers but although I understand the issues with installation, I know it's going to be off putting having this obstacle right at the start on OS X. Are there alternative installations planned which may run smoother for OS X users?
@newtriks brew install Volta
works well, though I’m not clear on whether it would/could also end up hitting this issue.
download https://get.volta.sh
and save to volta.sh
file
replace curl
to curl -k
in volta.sh
file
run volta.sh
success!!
I encountered this problem in a long-living Amazon Linux instance.
sudo yum update ca-certificates
resolved the problem without using the insecure flag for my case.
The root cause is related to the comment in this thread: https://github.com/volta-cli/volta/issues/1035#issuecomment-963545076
In my opinion, ignoring SSL certificate verification is simply dangerous. So if this solution works, it should be better.