I’ve kind of been able to reproduce this. I’m not sure if this maps at all onto your situation, though.
When I use Homebrew to install openssl
(e.g. brew install openssl
), it drops off a cert.pem
file at /usr/local/etc/openssl/cert.pem
. This (and the directory /usr/local/etc/openssl/certs
) appear to be where our underlying HTTP client is looking for certificates.
My reproduction step is to remove / rename that cert.pem
file, which gives the exact same error.
Can you try installing openssl
with Homebrew and see if that fixes things for you?
As an alternative, the environment variables SSL_CERT_FILE
and / or SSL_CERT_DIR
can be used (note that these are standard OpenSSL environment variables, and nothing Habitat-specific)
# Works after `brew install openssl`!
$ hab pkg search iainrose/national-parks
iainrose/national-parks/6.3.0/20180111214454
iainrose/national-parks/6.3.0/20180315165006
iainrose/national-parks/6.4.0/20180319201145
iainrose/national-parks/6.4.0/20180319203322
iainrose/national-parks/6.4.0/20180319213659
iainrose/national-parks/6.4.0/20180319214059
iainrose/national-parks/6.4.0/20180403232809
iainrose/national-parks/6.4.0/20180404001809
# "Remove" the SSL cert and it fails!
$sudo mv /usr/local/etc/openssl/cert.pem /usr/local/etc/openssl/cert.pem.0
$hab pkg search iainrose/national-parks
✗✗✗
✗✗✗ the handshake failed: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:: unable to get local issuer certificate
✗✗✗
# Use an environment variable and it works!
$ SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem.0 hab pkg search iainrose/national-parks
iainrose/national-parks/6.3.0/20180111214454
iainrose/national-parks/6.3.0/20180315165006
iainrose/national-parks/6.4.0/20180319201145
iainrose/national-parks/6.4.0/20180319203322
iainrose/national-parks/6.4.0/20180319213659
iainrose/national-parks/6.4.0/20180319214059
iainrose/national-parks/6.4.0/20180403232809
iainrose/national-parks/6.4.0/20180404001809
Here’s the relevant documentation from OpenSSL.