cargo: Peer certificate cannot be authenticated with given CA certificates (SSL certificate problem: certificate has expired)

Apologies for the inconvenience, folks. Please know that I’m working on this.

I did some more research and testing yesterday, and eventually found this post by a member of Let’s Encrypt’s staff that confirms @ehuss suspicion that the issue has to do with the cross-signed root certificate. Quickly summarized, OpenSSL < 1.1 and LibreSSL < 3.2 will just not work with Let’s Encrypt’s default chain.

I’m now in the process of switching our staging environment over to a certificate provided by GlobalSign. If we can confirm that this resolves the issue with older OpenSSL versions, we’ll roll it out to production as well.

Sorry for the wait, everyone! It took a few days to confirm the fix on staging and test the rollout process to production.

Our Fastly service for static.crates.io now serves a certificate signed by Global Sign.

This has resolved the above issues on macOS 10.13 (or other systems that still rely on OpenSSL < 1.1) in my test environment. If you continue to experience issues, please let me know so that we can investigate.

After running the new certificates in production for four weeks, I’m gonna close this issue. If anyone runs into this or a similar issue in the future, feel free to create a new issue.

Sorry for the wait, everyone! It took a few days to confirm the fix on staging and test the rollout process to production.

Our Fastly service for static.crates.io now serves a certificate signed by Global Sign.

This has resolved the above issues on macOS 10.13 (or other systems that still rely on OpenSSL < 1.1) in my test environment. If you continue to experience issues, please let me know so that we can investigate.

Thank you so much for the fix, @jdno. Also thanks to @ehuss! Really appreciate it.

I just tested it now (had to wait a bit till the GlobalSign one got picked):

~/dev/playground:$ curl --insecure -Iv https://static.crates.io/ 

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.1.91:443...
* Connected to static.crates.io (151.101.1.91) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2853 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=static.crates.io
*  start date: Mar 27 10:19:44 2023 GMT
*  expire date: Apr 27 10:19:43 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: static.crates.io]
* h2h3 [user-agent: curl/7.83.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7fa5eb801400)
} [5 bytes data]
> HEAD / HTTP/2
> Host: static.crates.io
> user-agent: curl/7.83.1
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [185 bytes data]
< HTTP/2 403 
< x-amz-bucket-region: us-west-1
< x-amz-request-id: 36MBENX6XFKQ1HK2
< x-amz-id-2: d+ittT5zQRviYW9eaJGbrMaBey2611pMNavnmV9YPCBGWza0aiXARhGvNxH0RfRaEqPW8OGDjDhTxOBdW02XZg==
< content-type: application/xml
< server: AmazonS3
< accept-ranges: bytes
< x-timer: S1679979033.363817,VS0,VE928
< date: Tue, 28 Mar 2023 04:50:34 GMT
< via: 1.1 varnish
< x-served-by: cache-hyd1100022-HYD
< x-cache: MISS
< x-cache-hits: 0
< 

  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
* Connection #0 to host static.crates.io left intact
HTTP/2 403 
x-amz-bucket-region: us-west-1
x-amz-request-id: 36MBENX6XFKQ1HK2
x-amz-id-2: d+ittT5zQRviYW9eaJGbrMaBey2611pMNavnmV9YPCBGWza0aiXARhGvNxH0RfRaEqPW8OGDjDhTxOBdW02XZg==
content-type: application/xml
server: AmazonS3
accept-ranges: bytes
x-timer: S1679979033.363817,VS0,VE928
date: Tue, 28 Mar 2023 04:50:34 GMT
via: 1.1 varnish
x-served-by: cache-hyd1100022-HYD
x-cache: MISS
x-cache-hits: 0

and I was able to fetch and build with no problems:

~/dev/playground/foo:$ cargo build
  Downloaded phoron_asm v1.0.2
  Downloaded 1 crate (94.7 KB) in 2.03s
   Compiling phoron_core v0.5.4
   Compiling phoron_asm v1.0.2
   Compiling foo v0.1.0 (/Users/z0ltan/dev/playground/foo)
    Finished dev [unoptimized + debuginfo] target(s) in 8.93s

Thank you!

Go ahead to close this issue in order to make the issue backlog less scary. Thank you for the help of investigation! If you still encounter the issue or have finally figured out the cause, let us know and we can consider re-open.