Migration broke my Homebrew install. Can't install curl now because of cert errors


(Strafer) #1

Brew update reported that my install of Homebrew was up-to-date even though v. .99 was installed. So I ran the following:

cd "$(brew --repo)" && git fetch && git reset --hard origin/master && brew update

remote: Counting objects: 1377, done.
remote: Compressing objects: 100% (332/332), done.
remote: Total 1377 (delta 1075), reused 1324 (delta 1034), pack-reused 0
Receiving objects: 100% (1377/1377), 213.66 KiB | 0 bytes/s, done.
Resolving deltas: 100% (1075/1075), completed with 259 local objects.
From . . .
126fd7f…03e568e master -> origin/master

  • [new tag] 1.0.2 -> 1.0.2
  • [new tag] 1.0.3 -> 1.0.3
  • [new tag] 1.0.4 -> 1.0.4
    Checking out files: 100% (831/831), done.
    HEAD is now at 03e568e Merge pull request #1124 from reitermarkus/rubocop-case-equality
    sed: .git/GITHUB_HEADERS: No such file or directory
    Updated 5 taps (caskroom/cask, homebrew/core, homebrew/dupes, homebrew/services, homebrew/versions).

After that, I was told to install curl even though it was already installed. Running brew install curl failed:

==> Installing curl dependency: openssl
==> Downloading https://www.openssl.org/source/openssl-1.0.2i.tar.gz
######################################################################## 100.0%
==> perl ./Configure --prefix=/usr/local/Cellar/openssl/1.0.2i --openssldir=/usr/local/etc/openssl no-ssl2 zlib-dynamic shared enable-cms darwin
==> make depend
==> make
==> make test
==> make install MANDIR=/usr/local/Cellar/openssl/1.0.2i/share/man MANSUFFIX=ssl
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl/certs

and run
/usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local.

Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries

Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you’ll need to add to your
build variables:

LDFLAGS:  -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include
PKG_CONFIG_PATH: /usr/local/opt/openssl/lib/pkgconfig

==> Summary
/usr/local/Cellar/openssl/1.0.2i: 1,695 files, 12.7M, built in 12 minutes 11 seconds
==> Installing curl
==> Downloading hxxps://curl.haxx.se/download/curl-7.50.3.tar.bz2

curl: (77) error setting certificate verify locations:
CAfile: /usr/local/etc/openssl/cert.pem
CApath: none
Error: Failed to download resource "curl"
Download failed: hxxps://curl.haxx.se/download/curl-7.50.3.tar.bz2

How can I fix this curl install error?

I have curl (7.50.1) installed but which curl yields /usr/bin/curl. Somehow the Homebrew migration broke some of the symlinks. I have gcc (6.1.0) installed but which ggc shows /usr/bin/gcc.


(Strafer) #2

I tried the Homebrew update on a VM of Snow Leopard that had a clean install of Homebrew. Same error:

curl: (77) error setting certificate verify locations:
CAfile: /usr/local/etc/openssl/cert.pem
CApath: none

Looks like Homebrew no longer works on Snow Leopard Server. Or is there a way to fix these certificate errors to get Homebrew working again on OS X 10.6.8 Server?


(Mike McQuaid) #3

We don’t support any versions below 10.10, I’m afraid. If you can figure out how to fix this on 10.6 then we’ll accept a pull request. Sorry!


(Elfinmagic) #4

We ran into the same exact problem.

#Explanation of the Problem
Basically, for some reason Hombrew created the file /usr/local/etc/openssl/cert.pem, but did NOT put anything into the file.

Normally, that file should contain all of the certificates for known Certificate Authorities (CAs) - those are the companies or institutions around the world who are allowed to “sign” the SSL certificates for your website and anyone else’s website whom you try to access – companies like GeoTrust, Thawte, and in some countries like the PRC it is actually the government themselves who digitally countersign individual website’s SSL certificates.

This is why the file is called “CAfile:”

If the file is empty, then CURL thinks that it CANNOT TRUST ANY WEBSITE ANYWHERE because it has no ‘trusted’ certificates to start out with.

In the CAfile cert.pem CURL is expecting to find many certificates all copy/pasted together into one single text file.

However, it is also possible for you to have a FOLDER full of individual text files, one for each Certificate Authority that you trust to sign other website’s certificates (i.e. they are acting like a “notary”).

In the folder-based setup, CURL would need to know what folder to go to in order to read all of those individual text files – that folder path is what CURL is calling the “CApath:”.

#Resolution to the problem

CURL needs to be able to see some certificates for the CA’s (aka “notaries”) whom it should trust.

You can put them all into one single text file (cert.pem) or multiple files in a single folder (the CApath).

In our setup there was not a “none” in the CApath. Homebrew and CURL were expecting the folder to be at the path /usr/local/etc/openssl/certs.

You can put the certificates in EITHER location (the single text file, or the multiple files in a folder), and CURL should work.

##Where to get the valid Certificates?

You can get them directly from the curl.haxx.de website.

https://curl.haxx.se/ca/cacert.pem

Here is a simple command to download the file and save it directly into the location that Homebrew’s CURL is expecting the file to be:

$ /usr/bin/curl https://curl.haxx.se/ca/cacert.pem /usr/local/etc/openssl/cert.pem

In our case, the curl that Apple shipped with Snow Leopard was still at /usr/bin/curl, so we used that version of curl to do the download.

If you try to download the file using curl instead of /usr/bin/curl, you might have a problem where the Homebrew-installed curl gets called to download the certificates file from the webserver, but the Homebrew-installed curl is the one that is having problems and will not “trust” the security of the download, so it will error out (with the exact same error you were already having) before it will ever download and save the file for you.

So, to avoid that problem you need to use the Apple-included curl at /usr/bin/curl (that is assuming that you have not already removed Apple’s curl or symbolically linked it to another version).

If all else fails, you can simply download the certificate file by typing this link into your web browser:

https://curl.haxx.se/ca/cacert.pem

and then saving the text file to your hard drive using your web browser.

After the text file is saved on the drive, you can open a terminal window and type:

$ mv the_full_path_and_name_of_the_file_you_just_downloaded /usr/local/etc/openssl/cert.pem

That will move the file you just downloaded, and will rename it as “cert.pem” and place it into the correct location where the Homebrew-installed curl is expecting the file to be located.

Then, you should be able to type something like:

$ curl https://www.example.com

And curl should correctly download the secure page and display it as html text in your terminal.

The real purpose of the test was to make sure that the certificates worked. You will know that they worked because otherwise curl will throw an error exactly as you had before when you try to download any HTTPS link.

Enjoy :slight_smile:


(Martin Dorey) #5

I don’t think that’s quite valid curl syntax. I did this:

/usr/bin/curl https://curl.haxx.se/ca/cacert.pem --output /usr/local/etc/openssl/cert.pem

Well, that didn’t work either, so I did it from another working machine.

(Really I just wanted to say “thanks”. There are many unwise-sounding solutions to this symptom floating around. This was about the tenth page I looked at. But, if your /usr/local/etc/openssl/cert.pem is zero bytes, this is the one you want, no doubt. I wonder what causes the file to be empty.)