bower install ends in `unable to access 'https://github.com/jquery/jquery-dist.git/': SSL: CA certificate set, but certificate verification is disabled`

Created on 13 Sep 2016  路  3Comments  路  Source: bower/bower

I am not able to install (anything?) with bower. I am trying to use the public GitHub and a popular library but I get error: git ls-remote --tags --heads https://github.com/jquery/jquery-dist.git", exit code of #128 fatal: unable to access 'https://github.com/jquery/jquery-dist.git/': SSL: CA certificate set, but certificate verification is disabled

Details:

Additional error details:

Output of bower -v && npm -v && node -v:

1.7.9
3.10.3
v6.5.0

Additional environment details (proxy, private registry, etc.):
I have disabled everything I know.

Steps to reproduce the issue:

  1. bower install jquery

Describe the results you received:

bower install jquery
bower jquery#*              not-cached https://github.com/jquery/jquery-dist.git#*
bower jquery#*                 resolve https://github.com/jquery/jquery-dist.git#*
bower jquery#*                 ECMDERR Failed to execute "git ls-remote --tags --heads https://github.com/jquery/jquery-dist.git", exit code of #128 fatal: unable to access 'https://github.com/jquery/jquery-dist.git/': SSL: CA certificate set, but certificate verification is disabled

Describe the results you expected:

I expected Bower to finish the without errors.

Additional information:

  1. I have tried this in the command without and no errors. It shows Content-Type: application/x-git-upload-pack-advertisement
GIT_CURL_VERBOSE=2 git ls-remote --heads https://github.com/jquery/jquery-dist.git
  1. I was sneaking in the source code and the error comes from cmd.js#L102 called by GitRemoteResolver.js#L253 I wonder why the command succeeds in my terminal but fails when done by bower?
  2. If it matters here is my bower.json:
{
  "name": "webcomp",
  "authors": [
    "me <[email protected]>"
  ],
  "description": "",
  "main": "",
  "license": "MIT",
  "homepage": "",
  "private": true,
  "ignore": [
    "**/.*",
    "node_modules",
    "bower_components",
    "test",
    "tests"
  ]
}

Most helpful comment

I have realized this is the origin of my problems commit: https://github.com/bower/bower/pull/2137/commits/f0a54d0018927f8f1cf85cb6c7e12a37cea49333 from pull request 2137

My configuration is:

$ npm config get strict-ssl
true

So process.env has "GIT_SSL_NO_VERIFY":"false" however http.c seems to check only if GIT_SSL_NO_VERIFY exists. It does not check it is "true" or "false".

I have changed:

process.env.GIT_SSL_NO_VERIFY = (!config.strictSsl).toString();

to

if (!config.strictSsl) {
    process.env.GIT_SSL_NO_VERIFY = 'true';
}

And now I am able to grab jquery normally: bower install jquery

I wonder if this is a configuration miss from my side? This seems to be a quite common case so I wonder how people is not having the same issue as me? cc @sheerun @pwielgolaski

All 3 comments

I have realized this is the origin of my problems commit: https://github.com/bower/bower/pull/2137/commits/f0a54d0018927f8f1cf85cb6c7e12a37cea49333 from pull request 2137

My configuration is:

$ npm config get strict-ssl
true

So process.env has "GIT_SSL_NO_VERIFY":"false" however http.c seems to check only if GIT_SSL_NO_VERIFY exists. It does not check it is "true" or "false".

I have changed:

process.env.GIT_SSL_NO_VERIFY = (!config.strictSsl).toString();

to

if (!config.strictSsl) {
    process.env.GIT_SSL_NO_VERIFY = 'true';
}

And now I am able to grab jquery normally: bower install jquery

I wonder if this is a configuration miss from my side? This seems to be a quite common case so I wonder how people is not having the same issue as me? cc @sheerun @pwielgolaski

I think we should fix it as you suggest.
It was unification code review suggestion.
I think the main scenario was to enable this flag, but in your case it is opposite case.

I would suggest making pull request for it.

@pwielgolaski I think trying to unify code was a good idea _providing GIT_SSL_NO_VERIFY=true and GIT_SSL_NO_VERIFY=false where opposites_. They are not.

IMO guys at git could have been written a more strict check like:

char *gitSslNoVerify = getenv("GIT_SSL_NO_VERIFY");
if (gitSslNoVerify != NULL && strcmp(gitSslNoVerify, "true") == 0) {
    curl_ssl_verify = 0;
}

instead of their approach:

if (getenv("GIT_SSL_NO_VERIFY"))
    curl_ssl_verify = 0; 

But they didn't and everybody has to live with it.

I will make the PR :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kopgal73 picture kopgal73  路  3Comments

leehambley picture leehambley  路  6Comments

javasgl picture javasgl  路  4Comments

akhiruddin picture akhiruddin  路  4Comments

williamquan picture williamquan  路  5Comments