-
-
Notifications
You must be signed in to change notification settings - Fork 346
SSL certificate errors
CKAN uses .NET/Mono's standard WebClient
for all downloads (with CURL as a fallback on some platforms). For HTTPS URLs, WebClient
needs to be able to verify a host's SSL certificate using trusted certificates on your local system. This is also what a browser does for the same URLs, and it's why you sometimes see a "security warning" about an expired certificate.
Modern operating systems have built-in certificate stores, but Mono also has its own certificate store, which may or may not be automatically synchronized with the system certificate store, which may or may not include certificates that trust all of the download hosts.
You may see the following errors when CKAN attempts to download a file if its host's certificate cannot be verified:
Oh no! Our download failed with a certificate error!
Error: TrustFailure (The authentication or decryption has failed.)
Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED)
Unhandled Exception:
System.Net.WebException: Error: SendFailure (Error writing headers) --->
System.Net.WebException: Error writing headers --->
System.IO.IOException: The authentication or decryption has failed.
Occasionally, these errors may happen because a download host is using an expired certificate. This has happened with SpaceDock a few times. If this is what's happening, then you should also see an error in your browser when visiting the download site. In these cases all you can do is wait for the host to fix the problem; typically it only takes a few days or less.
More often, these errors happen because your Mono certificate store is missing certificates. Fortunately, this is a problem that you can solve.
To resolve these errors, Mono's certificate store must be updated to trust the affected download hosts, which entails adding the right certificates to your local Mono configuration. There are multiple tools available to do this, but any of them might work as long as the right certificates are added.
The cert-sync
command was added in Mono 3.12.0 (release date: 13 Jan 2015). It imports certificates from your OS certificate store into the Mono SSL certificate store. This should happen automatically when installing Mono, but can also be done manually; see the Mono release note instructions for details on using cert-sync
.
Debian/Ubuntu:
sudo apt install ca-certificates-mono
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
Fedora:
sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt
Arch:
sudo cert-sync /etc/ssl/certs/ca-certificates.crt
The older mozroots
command downloads and imports Mozilla's trusted root certificates into Mono. This variant of the command will prompt the user before removing any trusted certificate:
mozroots --import --ask-remove
If you get "Couldn't retrieve the file using the supplied information." as an error then try:
wget -q 'http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' -O "/tmp/certdata.txt"
mozroots --import --ask-remove --file /tmp/certdata.txt
Contact us on the KSP forum or on our Discord server