Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error_Protocol ("certificate has unknown CA",True,UnknownCa) #123

Closed
arrowd opened this issue Oct 3, 2015 · 10 comments
Closed

Error_Protocol ("certificate has unknown CA",True,UnknownCa) #123

arrowd opened this issue Oct 3, 2015 · 10 comments

Comments

@arrowd
Copy link

arrowd commented Oct 3, 2015

I got a problem which is similar to this one with latest stack on FreeBSD. Symptoms are:

$ stack new bla hakyll
Downloading template "hakyll" to create project "bla" in bla/ ...
TlsExceptionHostPort (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))) "raw.githubusercontent.com" 443
$ cabal exec tls-retrievecertificate -- api.github.com 443 --verify
connecting to api.github.com on port 443 ...
serial:   17862844379041280932537185190414400495
issuer:   DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "DigiCert Inc"}),([2,5,4,11],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "www.digicert.com"}),([2,5,4,3],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "DigiCert SHA2 High Assurance Server CA"})]}
subject:  DistinguishedName {getDistinguishedElements = [([2,5,4,6],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "US"}),([2,5,4,8],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "California"}),([2,5,4,7],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "San Francisco"}),([2,5,4,10],ASN1CharacterString {characterEncoding = Printable, getCharacterStringRawData = "GitHub, Inc."}),([2,5,4,3],ASN1CharacterString {characterEncoding = UTF8, getCharacterStringRawData = "*.github.com"})]}
validity: DateTime {dtDate = Date {dateYear = 2014, dateMonth = April, dateDay = 8}, dtTime = TimeOfDay {todHour = 0h, todMin = 0m, todSec = 0s, todNSec = 0ns}} to DateTime {dtDate = Date {dateYear = 2017, dateMonth = April, dateDay = 12}, dtTime = TimeOfDay {todHour = 12h, todMin = 0m, todSec = 0s, todNSec = 0ns}}
### certificate chain trust
fail validation:
[UnknownCA]
@vincenthz
Copy link
Collaborator

Are the certificates on freebsd in /etc/ssl/certs/ or /usr/local/share/certs/ those days ? If not, then that's your problem.
You can try to override the path to looks for with the environment variable to see if that's your problem: SYSTEM_CERTIFICATE_PATH, or if you're missing the certificates completely, make sure you install them somehow ..

@arrowd
Copy link
Author

arrowd commented Oct 5, 2015

This is what i have:

$ ls /etc/ssl/certs
Class 3 Public Primary Certification Authority.pem      Equifax_Secure_Certificate_Authority.pem
$ ls /usr/local/share/certs/
ca-root-nss.crt

@vincenthz
Copy link
Collaborator

The certificate code is going to looks at the first path that exists instead of enumerating certificates from all the paths.

@vincenthz vincenthz added the Bug label Nov 5, 2015
@adam-singer
Copy link

I'm hitting the same issue on mac book. Still trying to figure out where this is rooted at, but a different mac book with same setup worked. I do see the CA for haskell.org in my keychain.

@adam-singer
Copy link

Interesting I was able to reproduce on both for osx. Recently upgraded to osx 10.11.1, also upgraded XCode 7.1.1, which required selecting the licensing agreement. After opening XCode and accepting, everything was back to "normal".

@arrowd
Copy link
Author

arrowd commented Nov 18, 2015

I've stumbled upon this commit: https://svnweb.freebsd.org/ports?view=revision&revision=378720

I guess, the problem is that hs-tls doesn't look at /etc/ssl/cert.pem file, but only /etc/ssl/certs dir.

@arrowd
Copy link
Author

arrowd commented Dec 16, 2015

So, can anything be done about this?

@vincenthz
Copy link
Collaborator

@arrowdodger: I've fixed the underlaying issues in x509-system (1.6.2). you can also test how many certificates are detected installing the latest x509-util and running x509-util system)

@arrowd
Copy link
Author

arrowd commented Dec 19, 2015

Updating x509-system to the latest version fixed problem for me!

@vincenthz
Copy link
Collaborator

Thanks, closing now then

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants