Pop Feed Daily

Home / updates

SSL handshake keeps failing even after adding certificates to local truststore

Joseph Russell |

When executing

wget

I have this error:

--2020-06-03 20:55:06--
Resolving docs.conda.io (docs.conda.io)... 104.31.71.166, 104.31.70.166, 172.67.149.185, ...
Connecting to docs.conda.io (docs.conda.io)|104.31.71.166|:443... connected.
ERROR: cannot verify docs.conda.io's certificate, issued by ‘CN=SSL-SG1-GFRPA2,OU=Operations,O=Cloud Services,C=US’: Unable to locally verify the issuer's authority.
To connect to docs.conda.io insecurely, use `--no-check-certificate'.

The certificates chain in the URL above contains 4 certificates.

What I have tried to solve this problem:

0) Extract the 4 certificates in the chain, from chrome when opening the url

1) Just to ensure not missing certificates, I put all the 4 certificates (namely conda1.crt, conda2.crt, conda3.crt, conda4.crt) in /usr/share/ca-certificates/mozilla/ by doing sudo cp conda*.crt /usr/share/ca-certificates/mozilla/

2) sudo vi /etc/ca-certificates.conf and append mozilla/conda1.crt, mozilla/conda2.crt, mozilla/conda3.crt, mozilla/conda4.crt at the end

3) run sudo update-ca-certificates -f

4) I can see symbolic link created under /etc/ssl/certs which looks like: conda1.pem -> /usr/share/ca-certificates/mozilla/conda1.crt, conda2.pem -> /usr/share/ca-certificates/mozilla/conda2.crt, etc.

Verification:

openssl verify -no-CAfile -no-CApath -partial_chain -CAfile conda1.pem conda2.pem
conda2.pem: OK
openssl verify -no-CAfile -no-CApath -partial_chain -CAfile conda2.pem conda3.pem
conda3.pem: OK
openssl verify -no-CAfile -no-CApath -partial_chain -CAfile conda3.pem conda4.pem
conda4.pem: OK

Result: still fail with wget

P.S.I am facing this ssl problem in many aspects and many urls since a month ago (no problem before):

  1. I cannot do conda search a_package
  2. I cannot do requests.get(url) in python code
  3. I cannot open it in a browser within my ubuntu system (can only access in windows)
  4. I cannot do fromUrl in scala

It seems the problem is not only due to one or two certificates, instead, it's a systematic problem in my ubuntu system. Looks like it's missing a list of certificates in my truststore.

uname => Linux user 5.3.0-53-generic #47~18.04.1-Ubuntu SMP Thu May 7 13:10:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I'm using Oracle VirtualBox.

4 Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like