Ckan: Unable to download any package due to a SSL/TLS issue

Looks like Spacedock's SSL cert expired, so this is kind of on them.

I have created a commit that hacks around this here, based on the advice in this thread. Note this completely disables SSL checks of any kind, so use with extreme caution.

The SSL cert should now be fixed, can you confirm

@Olympic1 looks good! This probably closes the issue.

The SSL cert should now be fixed, can you confirm

Hi, it seems that the spacedock certificates are expired again, and I can't download anything from there using CKAN :(
Could we maybe have a workaround to allow accepting expired certificates, considering this is a recurring issue?

Confirmed, Spacedock seems to have their cert. expired again.
Thought these kind of things are renewed on a yearly basis ?

they useletsencrypt which is a free SSL/TTL certificate authority with a quarterly renewal. It's great if you setup the auto renew. https://community.letsencrypt.org/t/how-to-automatically-renew-certificates/4393

As a work around for this, can we get an option to ignore SSL cert errors in CKAN?

Just to confirm, I am having the same issue. for me, its on editor extensions redux and janitor's closet if that helps.

I've resurrected Horcrux's fix on the disable-ssl-check branch on my fork. Note that you'll have to compile it yourself to use the version with the "fix".

As Horcrux said previously: "Note this completely disables SSL checks of any kind, so use with extreme caution."

I'm willing to work on a better fix for this if there's interest, I'm not sure what you folks feel is an appropriate solution (checkbox in options menu/command line flag? automatically disable SSL and retry spacedock downloads if they fail?)

I've been trying to determine exactly what the vulnerability level is here so we can make an informed decision, but most of the commentary for site owners revolves around avoiding annoying errors on your page and alert fatigue, neither of which have to do with enumerating viable attack vectors. Let's see if this makes sense...

KerbalStuff is currently replaced by a malicious web site, such that it can't even be mentioned on the KSP forums (it's auto-corrected to "*"). If we completely ignore expired certificates, then such a site could likewise replace SpaceDock someday and use its old expired certificates to provide CKAN users with malware downloads.

Is that true? But we would de-list SpaceDock URLs in NetKAN and CKAN-meta if that happened. And with #2243 validating the hashes of downloads before installing them in the next update, we have a form of end-to-end security that would mean the downloads would have to be the same as what we indexed, so we should be safe unless we index malicious downloads.

... I'm not confident enough in any of that to make code changes. Can anyone share a fuller picture of the security implications of expired certificates?

This has been fixed. The site certificate has been updated.

Confirmed this works now.

Given the above comments, an option in CKAN to disable the cert check would be helpfull.
And indeed a warning dialog box with links to the official information about the risks, so everyone is also educated :)

Ckan still fails, no way to update?

download and install 1.4 manually