"certificate has expired" when trying to install rust

I'm trying to install rust on centos 7.8 using:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

For some reason I fail to see, installation is failing with the following output:

info: profile set to 'default'
info: default host triple is x86_64-unknown-linux-gnu
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256' to '/root/.rustup/tmp/3w0dy8jkkq2jo671_file'
error: caused by: failed to make network request
error: caused by: https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (certificate has expired)
error: caused by: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (certificate has expired)

I can successfully download such sha256 file and don't have any issues with certificates.
This machine is behind a zscaler "man in the middle" proxy, but I've already imported the certs and CA-certs and I can use curl without ignoring certificates, and everything seems ok.

I took a tcpdump trace and I can see the client (rustup) complaining about certificates having expired, but none of the certificates I see on the trace have expired.
Some have an expiry date a week from now, others years from now, but all of them seem to be OK in terms of "not valid before" and "valid until" dates.
Date on the system is OK too.

Does anybody have any suggestion on how to troubleshoot this further?

Maybe it's caused by the recent expiry of Sectigo root cert? Some TLS libraries can't deal with that properly.


thanks. I'm not sure; I believe it's still something related to the man in the middle proxy I'm using, although as I said the certs seem to have been already imported and can't see what's expired.

On the same environment, if I access the internet through some other proxy where the main in the middle proxy is not present, things work just fine.

I'd still like to troubleshoot this so if anybody has any hints on debugging this or enabling further logging please let me know.

in case this helps others, I believe my issue was related to one of the custom CA certificates being expired.
On centos, under /etc/pki/ca-trust/source/anchors/, I had 2 custom CA certificates, one expired and the other one not expired.

After seeing one of them was expired, I removed that CA certificate and re-ran update-ca-trust extract

After that, curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh ran just fine without any issue.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.