cargo: Cannot get sources from https://crates.io as curl fails the certificate check

Building any project with dependencies on crates.io, with the latest nightly, on Arch Linux, ends with this error:

$ cargo build --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading pkg-config v0.0.1
Unable to get packages from source

Caused by:
  Failed to download package `pkg-config v0.0.1` from https://crates.io/api/v1/crates/pkg-config/0.0.1/download

Caused by:
  Peer certificate cannot be authenticated with given CA certificates

Sample Cargo.toml reproducing the issue:

$ cat Cargo.toml
[package]

name = "nickel-demo"
version = "0.0.1"
authors = ["Timothée Ravier <tim@siosm.fr>"]

[dependencies.nickel]

git = "https://github.com/nickel-org/nickel.rs.git"

And version info:

$ rustc --version=verbose
rustc 0.13.0-nightly (395901393 2014-11-24 00:46:30 +0000)
binary: rustc
commit-hash: 395901393c369c910a8ae36ace71402cb206d217
commit-date: 2014-11-24 00:46:30 +0000
host: x86_64-unknown-linux-gnu
release: 0.13.0-nightly
$ cargo --version
cargo 0.0.1-pre-nightly (1bdfb25 2014-11-20 19:29:22 +0000)

Using curl manually gives the following output:

$ curl -v https://crates.io/api/v1/crates/pkg-config/0.0.1/download
* Hostname was NOT found in DNS cache
*   Trying 107.20.211.76...
* Connected to crates.io (107.20.211.76) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: OU=GT87339749; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=crates.io
*        start date: 2014-11-06 11:11:23 GMT
*        expire date: 2015-11-09 14:30:14 GMT
*        subjectAltName: crates.io matched
*        issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3
*        SSL certificate verify ok.
> GET /api/v1/crates/pkg-config/0.0.1/download HTTP/1.1
> User-Agent: curl/7.39.0
> Host: crates.io
> Accept: */*
> 
< HTTP/1.1 302 Found
< Connection: keep-alive
< Server: nginx
< Date: Tue, 25 Nov 2014 13:46:14 GMT
< Transfer-Encoding: chunked
< Set-Cookie: cargo_session=--3c156d7a3629aa08a1a0d538832f99ea30835cc8; HttpOnly; Secure; Path=/
< Location: https://crates-io.s3-us-west-1.amazonaws.com/crates/pkg-config/pkg-config-0.0.1.crate
< Strict-Transport-Security: max-age=31536000
< Via: 1.1 vegur
< 
* Connection #0 to host crates.io left intact

And tracing cargo build with strace gives:

$ strace -f -e trace=file cargo build --verbose
(...)
 Downloading pkg-config v0.0.1
stat("/home/tim/.cargo/registry/cache/github.com-1ecc6299db9ec823", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getcwd("/home/tim/projects/perso/rust/nickel-demo", 2048) = 42
stat("/home/tim/projects/perso/rust/nickel-demo/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/home/tim/projects/perso/rust/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/home/tim/projects/perso/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/home/tim/projects/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/home/tim/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/home/.cargo/config", 0x7fffb1eba210) = -1 ENOENT (No such file or directory)
stat("/.cargo/config", 0x7fffb1eba210)  = -1 ENOENT (No such file or directory)
access("/home/tim/.gitconfig", F_OK)    = 0
stat("/home/tim/.gitconfig", {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
stat("/home/tim/.gitconfig", {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
open("/home/tim/.gitconfig", O_RDONLY)  = 3
access("/home/tim/.config/git/config", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/gitconfig", F_OK)          = -1 ENOENT (No such file or directory)
stat("/home/tim/.gitconfig", {st_mode=S_IFREG|0644, st_size=1541, ...}) = 0
open("/home/rustbuild/root64/ssl/openssl.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/var/ssl", 0x7fffb1eba7a0)        = -1 ENOENT (No such file or directory)
stat("/usr/share/ssl", 0x7fffb1eba7a0)  = -1 ENOENT (No such file or directory)
stat("/usr/local/ssl", 0x7fffb1eba7a0)  = -1 ENOENT (No such file or directory)
stat("/usr/local/openssl", 0x7fffb1eba7a0) = -1 ENOENT (No such file or directory)
stat("/usr/local/share", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/lib/ssl", 0x7fffb1eba7a0)    = -1 ENOENT (No such file or directory)
stat("/usr/ssl", 0x7fffb1eba7a0)        = -1 ENOENT (No such file or directory)
stat("/etc/openssl", 0x7fffb1eba7a0)    = -1 ENOENT (No such file or directory)
stat("/etc/pki/tls", 0x7fffb1eba7a0)    = -1 ENOENT (No such file or directory)
stat("/etc/ssl", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 3
open("/etc/gai.conf", O_RDONLY|O_CLOEXEC) = 3
stat("/dev/urandom", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
open("/dev/urandom", O_RDONLY)          = 4
open("/etc/ssl/cert.pem", O_RDONLY)     = 4
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 4
open("/etc/ssl/cert.pem", O_RDONLY)     = 5
stat("/etc/ssl/certs/415660c1.0", 0x7fffb1eba1e0) = -1 ENOENT (No such file or directory)
Unable to get packages from source

Caused by:
  Failed to download package `pkg-config v0.0.1` from https://crates.io/api/v1/crates/pkg-config/0.0.1/download

Caused by:
  Peer certificate cannot be authenticated with given CA certificates
+++ exited with 101 +++

So it looks like the curl module is not looking at the correct place for certificate checking and so far my attempts to use environment variables such as CURL_CA_BUNDLE have been unsuccessful with cargo.

This may be a rust-curl bug but I can’t confirm this because trying to build a minimal example with the curl-rust crate using cargo fails with the same error 😦.

About this issue

Original URL
State: closed
Created 10 years ago
Comments: 32 (10 by maintainers)

Commits related to this issue

cargoSnapshot: 2015-04-02 -> 2015-06-17, hide from nix-env Update snapshot to avoid rust-lang/cargo#976, which otherwise breaks the build. Also move the `cargoSnapshot` derivation inside a set in pk... — committed to telotortium/nixpkgs by telotortium 9 years ago
cargoSnapshot: 2015-04-02 -> 2015-06-17, hide from nix-env Update snapshot to avoid rust-lang/cargo#976, which otherwise breaks the build. Also move the `cargoSnapshot` derivation inside a set in pk... — committed to telotortium/nixpkgs by telotortium 9 years ago
cargoSnapshot: 2015-04-02 -> 2015-06-17, hide from nix-env Update snapshot to avoid rust-lang/cargo#976, which otherwise breaks the build. Also move the `cargoSnapshot` derivation inside a set in pk... — committed to wizeman/nixpkgs by telotortium 9 years ago

Most upvoted comments

I’ll note that we’re doing somewhat sketchy things with openssl (we’re linking it statically in the nightly distribution) which may not be kosher on all platforms, so it may not necessarily be a bug with Arch.

I also just realized, can you try running SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt cargo fetch ? (using nightlies) Either that or the SSL_CERT_DIR environment variable may help cargo find this location, although we should definitely find it by default as well.

alexcrichton on Nov 26, 2014