helm: `helm dep build` with Homebrew returns x509: certificate signed by unknown authority

OSX 10.12.6, Currently using 2.8.0 but the behavior is also present on 2.7.X installed via homebrew.

In a corporate environment where ssl inspection is taking place. There are custom CA’s in the osx keychain facilitating the ssl termination. Doesn’t seem to work with helm. Typically using the env var SSL_CERT_FILE is enough to override the bundle but it has no effect here.

$ helm dep build
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
	Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: getsockopt: connection refused
...Unable to get an update from the "stable" chart repository (https://kubernetes-charts.storage.googleapis.com):
	Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority
Update Complete. ⎈Happy Helming!⎈
Saving 1 charts
Downloading postgresql from repo https://kubernetes-charts.storage.googleapis.com/
Save error occurred:  could not download https://kubernetes-charts.storage.googleapis.com/postgresql-0.8.3.tgz: Get https://kubernetes-charts.storage.googleapis.com/postgresql-0.8.3.tgz: x509: certificate signed by unknown authority
Deleting newly downloaded charts, restoring pre-update state
Error: could not download https://kubernetes-charts.storage.googleapis.com/postgresql-0.8.3.tgz: Get https://kubernetes-charts.storage.googleapis.com/postgresql-0.8.3.tgz: x509: certificate signed by unknown authority

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 22 (6 by maintainers)

Most upvoted comments

Well, I just compiled a local copy of helm from master, which was able to successfully verify my chart repo’s cert. The official binary for v2.10.0-rc.1 also works, v2.9.0 also does not. Wonder if something changed on the official build server. (In any case, I think I should be fine using a newer helm binary?)

+2
jfrederickson on Jul 6, 2018

@bitsofinfo : still facing problem with --ca-file. able to set during “helm repo add” during download time it gives the following error, Error: failed to download “reponame/chartname” (hint: running helm repo update may help) Using helm v 3.2.4

+1
mail2vinay on Nov 27, 2020

Your suggestion to uninstall helm, update go and reinstall helm didn’t do the trick for me. I had been at go 1.10.2 already anyway, so there was nothing to upgrade. Additionally, helm seems to be installed as precompiled bottle anyway, and not compiled locally with whatever go version was installed there.

I’d agree that there isn’t much that can be done here. I suppose the issue should be opened with homebrew, with the intent to fix the formula.

Thanks!

+1
sfudeus on May 23, 2018
Read more comments on GitHub
← helm: 'helm dep build' requires repositories to be added, but 'helm dep update' doesn't
helm: helm dep list shows incorrect status for local dependencies →