Skip to content

SSL certificate errors

HebaruSan edited this page Feb 11, 2018 · 10 revisions

Background

CKAN uses .NET/Mono's standard WebClient for all downloads (with CURL as a fallback on some platforms). For HTTPS URLs, WebClient needs to be able to verify a host's SSL certificate using trusted certificates on your local system. This is also what a browser does for the same URLs, and it's why you sometimes see a "security warning" about an expired certificate.

Modern operating systems have built-in certificate stores, but Mono also has its own certificate store, which may or may not be automatically synchronized with the system certificate store, which may or may not include certificates that trust all of the download hosts.

Problems

You may see the following errors when CKAN attempts to download a file if its host's certificate cannot be verified:

Oh no! Our download failed with a certificate error!
Error: TrustFailure (The authentication or decryption has failed.)
Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED)
Unhandled Exception:
System.Net.WebException: Error: SendFailure (Error writing headers) --->
    System.Net.WebException: Error writing headers --->
    System.IO.IOException: The authentication or decryption has failed.

Causes

Occasionally, these errors may happen because a download host is using an expired certificate. This has happened with SpaceDock a few times. If this is what's happening, then you should also see an error in your browser when visiting the download site. In these cases all you can do is wait for the host to fix the problem; typically it only takes a few days or less.

More often, these errors happen because your Mono certificate store is missing certificates. Fortunately, this is a problem that you can solve.

Solutions

To resolve these errors, Mono's certificate store must be updated to trust the affected download hosts, which entails adding the right certificates to your local Mono configuration. There are multiple tools available to do this, but any of them might work as long as the right certificates are added.

Importing system certificates

The cert-sync command was added in Mono 3.12.0 (release date: 13 Jan 2015). It imports certificates from your OS certificate store into the Mono SSL certificate store. This should happen automatically when installing Mono, but can also be done manually; see the Mono release note instructions for details on using cert-sync.

Debian/Ubuntu:

sudo apt install ca-certificates-mono
sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Fedora:

sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt

Arch:

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Importing Mozilla's certificates

The older mozroots command downloads and imports Mozilla's trusted root certificates into Mono. This variant of the command will prompt the user before removing any trusted certificate:

mozroots --import --ask-remove

If you get "Couldn't retrieve the file using the supplied information." as an error then try:

wget -q 'http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' -O "/tmp/certdata.txt"
mozroots --import --ask-remove --file /tmp/certdata.txt
Clone this wiki locally