[SOLVED] github certificate verification failed during installation

What you were trying to do (and why)

I am attempting to install brew on a Linux vm.

What happened (include command output)

What you expected to happen

I expected the install to work successfully

Step-by-step reproduction instructions (by running brew commands)

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Additional information

I am running Artix (an Arch derivative) on Virtualbox. I installed git using the git-minimal pkg from guix, since it’s up-to-date. I can GET the page (eg, using curl), so the certificate issue must be on my end.


I got past this by running this command as root

$ cert_file = $(curl-config --ca) # locate the certificate file
$ echo -n | openssl s_client -showcerts -server www.github.com -connect www.github.com:443 2>/dev/null  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $cert_file # write the github certificates to it

Then this command as a regular user

$ cert_file = $(curl-config --ca) # locate the certificate file
$ git config --global http.sslCAinfo $cert_file # tell git where to find my certificates

It may be possible to skip the first section since I find it hard to believe the github certs would be missing on any Arch-based distro. Most likely git just didn’t know where to find them.

Yes, it’s neither necessary nor desired, since you’re adding GitHub’s current certificate to curl’s certificate authority (CA) store. GitHub’s cert can be revoked or changed at any time, so adding it to a permanent store is pointless. The only certs that should in that file are the root CAs, from which every other public cert (including GitHub’s) is verified.

That is in fact what your original error:

server certificate verification failed. CAfile: none CRLfile: none

is telling you: “HELP! I don’t know where the CA bundle is!!!” This is likely to be a curl build issue, in that it was configured without --with-ca-bundle and/or --with-ca-path. Since Homebrew’s curl formula definitely specifies both, and every system curl I know does the same, you gotta ask yourself: Whose curl is my Git using, and should I be worried?