Unable to update my cargo package - ssl error


#1

I’m trying to put up a new version of my cargo package. cargo package --verbose gives me this error:

   Verifying oscpad v0.1.1 (file:///home/bburdette/code/oscpad)
    Updating registry `https://github.com/rust-lang/crates.io-index`
failed to verify package tarball

Caused by:
  Unable to update registry https://github.com/rust-lang/crates.io-index

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  [16/-17] The SSL certificate is invalid

Cargo publish has similar results:

[nix-shell:~/code/oscpad]$ cargo publish --verbose
    Updating registry `https://github.com/rust-lang/crates.io-index`
failed to update registry https://github.com/rust-lang/crates.io-index

Caused by:
  failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  [16/-17] The SSL certificate is invalid

[nix-shell:~/code/oscpad]$

#2

I think your machine’s CA bundle is old/out of date and should be updated. If you can provide some details about your linux distribution, we can provide more specific details


#3

That’s what I gather from some googling. I’m on nixos. I ran an update today but it didn’t help. Going to see about contacting nixos-ers on IRC, right now its pretty deserted there.


#4

more info on this: wget fails with a similar error. However, I’m able to specify a certificate file (one already on my system) with wget and it works:

wget --ca-certificate=/etc/ssl/certs/ca-certificates.crt https://github.com/rust-lang/crates.io-index

As far as I can tell, there’s no similar option for cargo. I wonder how cargo goes about locating the crt file?


#5

cargo uses cURL for its TLS communication. Unfortunately, cURL has many different and platform-dependent ways to find the certificate store: https://curl.haxx.se/docs/sslcerts.html. It seems you should be able to override it with the CURL_CA_BUNDLE environment variable though.


#6

Thanks jethrogb! I found a bug on nixos that indicated SSL_CERT_FILE needs to be defined, and that fact that it isn’t is a problem for more people than just me. I put the lines below in my .bashrc and now cargo package/publish are working again.

SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE

#7

unset SSL_CERT_FILE may also solve problem if you were in nix-shell.