"certificate has expired" when trying to install rust

horacimacias · July 1, 2020, 2:25pm

I'm trying to install rust on centos 7.8 using:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

For some reason I fail to see, installation is failing with the following output:

info: profile set to 'default'
info: default host triple is x86_64-unknown-linux-gnu
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/root/.rustup/tmp/3w0dy8jkkq2jo671_file'
error: caused by: failed to make network request
error: caused by: https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (certificate has expired)
error: caused by: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (certificate has expired)

I can successfully download such sha256 file and don't have any issues with certificates.
This machine is behind a zscaler "man in the middle" proxy, but I've already imported the certs and CA-certs and I can use curl without ignoring certificates, and everything seems ok.

I took a tcpdump trace and I can see the client (rustup) complaining about certificates having expired, but none of the certificates I see on the trace have expired.
Some have an expiry date a week from now, others years from now, but all of them seem to be OK in terms of "not valid before" and "valid until" dates.
Date on the system is OK too.

Does anybody have any suggestion on how to troubleshoot this further?

kornel · July 1, 2020, 2:50pm

Maybe it's caused by the recent expiry of Sectigo root cert? Some TLS libraries can't deal with that properly.

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

horacimacias · July 1, 2020, 4:17pm

thanks. I'm not sure; I believe it's still something related to the man in the middle proxy I'm using, although as I said the certs seem to have been already imported and can't see what's expired.

On the same environment, if I access the internet through some other proxy where the main in the middle proxy is not present, things work just fine.

I'd still like to troubleshoot this so if anybody has any hints on debugging this or enabling further logging please let me know.

horacimacias · July 2, 2020, 12:55pm

in case this helps others, I believe my issue was related to one of the custom CA certificates being expired.
On centos, under /etc/pki/ca-trust/source/anchors/, I had 2 custom CA certificates, one expired and the other one not expired.

After seeing one of them was expired, I removed that CA certificate and re-ran update-ca-trust extract

After that, curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh ran just fine without any issue.

system · September 30, 2020, 12:55pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
`rustup update` fails with a certificate error, but curl works	3	748	July 28, 2023
Rustup installation curl certificate error help	18	2499	May 22, 2023
Using rustup behind a corporate firewall help	12	2941	December 10, 2020
Install rust in centos	5	494	October 12, 2020
Rustls TLS Client not trusting help	1	538	September 6, 2023

"certificate has expired" when trying to install rust

Related Topics