SSL error on MacOS

iainrose · April 5, 2018, 6:44pm

I've been able to use the Habitat CLI previously but had to switch to a new laptop and am now having a problem that seems to be related to OpenSSL.

This error is occuring when trying to search for packages in the builder.

iainrose$ hab pkg search iainrose/national-parks
✗✗✗
✗✗✗ the handshake failed: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:: unable to get local issuer certificate
✗✗✗

If I run the same command from inside the Hab studio, it's working

[1][default:/src:0]# hab pkg search iainrose/national-parks
iainrose/national-parks/6.3.0/20180111214454

MacOS 10.13.3
hab 0.55.0/20180321215236
LibreSSL 2.2.7

I saw this similar issue logged in Github but am hoping to find a solution that can be shared with others here.

christophermaier_1 · April 5, 2018, 7:03pm

I remember running into this a while back, but can no longer reproduce it locally. The error suggests a local issue finding certificates, though. Habitat on MacOS should be going through the normal system certificate store.

Running your command with the environment variable RUST_LOG=debug might provide some more context.

iainrose · April 5, 2018, 8:43pm

Here’s the output with the debug flag set.

Iains-MBP:~ iainrose$ hab pkg search iainrose/national-parks
DEBUG 2018-04-05T20:43:02Z: habitat_common::ui: InputStream(stdin): { is_a_terminal(): true }
DEBUG 2018-04-05T20:43:03Z: habitat_common::ui: OutputStream(stdout): { is_colored(): true, supports_color(): true, is_a_terminal(): true }
DEBUG 2018-04-05T20:43:03Z: habitat_common::ui: OutputStream(stderr): { is_colored(): true, supports_color(): true, is_a_terminal(): true }
DEBUG 2018-04-05T20:43:03Z: hab: clap cli args: [“hab”, “pkg”, “search”, “iainrose/national-parks”]
DEBUG 2018-04-05T20:43:03Z: hab: remaining cli args: []
DEBUG 2018-04-05T20:43:03Z: hab::config: Loading CLI config from /Users/iainrose/.hab/etc/cli.toml
DEBUG 2018-04-05T20:43:03Z: habitat_http_client::api_client: User-Agent: hab/0.55.0/20180321215236 (x86_64-darwin; 17.4.0)
DEBUG 2018-04-05T20:43:03Z: habitat_http_client::api_client: GET https://bldr.habitat.sh/v1/depot/pkgs/search/iainrose%2Fnational-parks with ApiClient { endpoint: “https://bldr.habitat.sh/v1”, inner: Client { redirect_policy: FollowAll, read_timeout: Some(Duration { secs: 60, nanos: 0 }), write_timeout: Some(Duration { secs: 60, nanos: 0 }), proxy: None }, proxy: None, target_scheme: “https”, user_agent_header: UserAgent(“hab/0.55.0/20180321215236 (x86_64-darwin; 17.4.0)”) }
DEBUG 2018-04-05T20:43:03Z: hyper::net: http scheme
DEBUG 2018-04-05T20:43:03Z: hyper::net: https scheme
✗✗✗
✗✗✗ the handshake failed: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:: unable to get local issuer certificate
✗✗✗

christophermaier_1 · April 6, 2018, 4:24pm

I’ve kind of been able to reproduce this. I’m not sure if this maps at all onto your situation, though.

When I use Homebrew to install openssl (e.g. brew install openssl), it drops off a cert.pem file at /usr/local/etc/openssl/cert.pem. This (and the directory /usr/local/etc/openssl/certs) appear to be where our underlying HTTP client is looking for certificates.

My reproduction step is to remove / rename that cert.pem file, which gives the exact same error.

Can you try installing openssl with Homebrew and see if that fixes things for you?

As an alternative, the environment variables SSL_CERT_FILE and / or SSL_CERT_DIR can be used (note that these are standard OpenSSL environment variables, and nothing Habitat-specific)

# Works after `brew install openssl`!
$ hab pkg search iainrose/national-parks
iainrose/national-parks/6.3.0/20180111214454
iainrose/national-parks/6.3.0/20180315165006
iainrose/national-parks/6.4.0/20180319201145
iainrose/national-parks/6.4.0/20180319203322
iainrose/national-parks/6.4.0/20180319213659
iainrose/national-parks/6.4.0/20180319214059
iainrose/national-parks/6.4.0/20180403232809
iainrose/national-parks/6.4.0/20180404001809

# "Remove" the SSL cert and it fails!
$sudo mv /usr/local/etc/openssl/cert.pem /usr/local/etc/openssl/cert.pem.0
$hab pkg search iainrose/national-parks
✗✗✗
✗✗✗ the handshake failed: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:: unable to get local issuer certificate
✗✗✗

# Use an environment variable and it works!
$ SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem.0 hab pkg search iainrose/national-parks
iainrose/national-parks/6.3.0/20180111214454
iainrose/national-parks/6.3.0/20180315165006
iainrose/national-parks/6.4.0/20180319201145
iainrose/national-parks/6.4.0/20180319203322
iainrose/national-parks/6.4.0/20180319213659
iainrose/national-parks/6.4.0/20180319214059
iainrose/national-parks/6.4.0/20180403232809
iainrose/national-parks/6.4.0/20180404001809

Here’s the relevant documentation from OpenSSL.

christophermaier_1 · April 6, 2018, 3:57pm

FYI, I've got an update to our Homebrew hab package (currently under review) that will install openssl as a dependency, so hopefully very soon nobody else will hit this error.

iainrose · April 6, 2018, 5:49pm

Brilliant! That fixed it. Thank you for the help, much appreciated.

christophermaier_1 · April 6, 2018, 7:49pm

Update: The PR has merged, so openssl will now be installed by Homebrew when you install hab

christophermaier_1 · April 6, 2018, 9:09pm

There’s some additional context and follow-up information on this at https://github.com/habitat-sh/habitat/issues/4871, for folks that may stumble across this in the future.

nellshamrell · September 6, 2018, 8:41pm

I ran into this again with 0.62.1 on a mac - I was able to get around it by setting the SSL_CERT_FILE environmental variable like this:

export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem