Homebrew-cask: Installation of certain Casks fails with TLS cert errors
General troubleshooting steps
- [x] I understand that if I ignore these instructions, my issue may be closed without review.
- [x] I have retried my command with
--force. - [x] I ran
brew update-reset && brew updateand retried my command. - [x] I ran
brew doctor, fixed as many issues as possible and retried my command. - [x] I have checked the instructions for reporting bugs.
- [x] I made doubly sure this is not a checksum does not match error.
Description of issue
Installation of certain Casks currently fails with TLS certificate errors:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
This is because of a (supposed) bug in macOS' built-in cURL, which is used by Homebrew. See my detailed analysis of the issue on Information Security StackExchange.
Affected Casks include, but are probably not limited to, "dash" and "electron-cash".
Command that failed
brew cask reinstall dash
Output of command with --force --verbose --debug
==> Downloading https://kapeli.com/downloads/v5/Dash.zip
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: Download failed on Cask 'dash' with message: Download failed: https://kapeli.com/downloads/v5/Dash.zip
F30
All 19 comments
I'm getting the same with monero-wallet. But the download url definately doesn't have an expired certificate. I don't know what could be wrong.
jlafitte
on 30 May 2020
This is because of a (supposed) bug in macOS' built-in cURL, which is used by Homebrew.
If that鈥檚 the case then this won鈥檛 be specific to casks鈥攆ormulae will also be affected, in which case this need to be reported to (and fixed in) the core.
vitorgalvao
on 30 May 2020
Okay. For some reason other formulae and casks installed fine, I think they all used SSL of some sort. But I only had a problem with this one.
jlafitte
on 30 May 2020
I'm getting the same with monero-wallet. But the download url definately doesn't have an expired certificate. I don't know what could be wrong.
I can confirm that the download site for monero-wallet, https://downloads.getmonero.org/, is affected by the issue.
It doesn't have an expired certificate from the perspective of browsers and other cURL builds, but the root certificate looks expired for the built-in cURL of macOS. Please see the discussion on Information Security StackExchange for details.
F30
on 30 May 2020
If that鈥檚 the case then this won鈥檛 be specific to casks鈥攆ormulae will also be affected, in which case this need to be reported to (and fixed in) the core.
I reported it as Homebrew/brew#7667. However, I don't know of any affected Formulae so far.
F30
on 30 May 2020
Removing the AddTrust from cert.pem as the StackExchange post mentioned did work for me. I don't know what else it might impact, but I did make a backup.
jlafitte
on 30 May 2020
For my specific problem, I found the following to work:
CURL_SSL_BACKEND=secure-transport HOMEBREW_NO_ENV_FILTERING=1 brew cask install flux
machira
on 3 Jun 2020
A workaround is to simply install the latest and greatest version of curl using Homebrew and linking that version. That is:
brew install curl
echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.zshrc
After this, it will work without any problems.
Alternatively, if you don't want to permanently alter your PATH but still want to save the day instead of waiting for macOS developers or Homebrew developers to fix this issue, you can:
- Install the latest and greatest version of
curlby running:
brew install curl - Open a new terminal tab or window and run:
export PATH="/usr/local/opt/curl/bin:$PATH" - Install whatever with Homebrew without any problems.
- Close this terminal tab or window.
ugultopu
on 6 Jun 2020
is https://github.com/Homebrew/homebrew-cask/pull/83897 also affected by this?
core-code
on 6 Jun 2020
is #83897 also affected by this?
It looks like it is, at least I can't connect using (macOS) curl and the server sends "AddTrust External CA Root" in its certificate chain. However, the people discussing over there don't seem to run into this issue and discuss a 404 error, which I also can reproduce using another curl build and which adds on top of the problem.
F30
on 8 Jun 2020
Please also set export HOMEBREW_FORCE_BREWED_CURL=1 in ~/.bash_profile to fix the issue.
The export PATH is not enough for me.
@ugultopu ^^
lanshunfang
on 10 Jun 2020
Can confirm this works for me:
brew install curl
And then place in your shell config file (e.g. ~/.zshrc or ~/.bash_profile):
export HOMEBREW_FORCE_BREWED_CURL=1
export PATH="/usr/local/opt/curl/bin:${PATH}"
mjsteinbaugh
on 21 Jun 2020
export PATH="/usr/local/opt/curl/bin:${PATH}"
@mjsteinbaugh This doesn't do anything to fix the problem. This forces Homebrew's cURL system-wide which isn't required to address things from an HBC perspective.
ran-dall
on 21 Jun 2020
@ran-dall It's a stopgap mesaure that works until Homebrew core is updated...so it does in a sense fix the problem
mjsteinbaugh
on 21 Jun 2020
@ran-dall It's a stopgap mesaure that works until Homebrew core is updated...so it does in a sense fix the problem
The point @ran-dall was making was that line is useless to fix this issue, because HOMEBREW_FORCE_BREWED_CURL does everything. The PATH line changes what all your programs use (which, while unlikely, may lead to unexpected behaviour).
So in that sense the PATH line is neither a stopgap measure nor does it fix the problem; the HOMEBREW_FORCE_BREWED_CURL line is what鈥檚 accomplishing that.
vitorgalvao
on 21 Jun 2020
@mjsteinbaugh Everything @vitorgalvao said is correct, but also consider these 2 things...
We don't recommend folks replacing system dependencies just because 'something isn't working'. Folks should do their research to see what's applicable to their system and what works for them. For example, neither of the lines you posted are needed to address this on 10.15.
This isn't a Homebrew Core problem, it's an upstream problem. Therefore, there will be no fix provided by Homebrew. https://github.com/Homebrew/brew/issues/7667#issuecomment-636427543
ran-dall
on 21 Jun 2020
Ah okay that makes sense. Thanks guys
mjsteinbaugh
on 21 Jun 2020
Can confirm this works for me:
brew install curlAnd then place in your shell config file (e.g.
~/.zshrcor~/.bash_profile):export HOMEBREW_FORCE_BREWED_CURL=1 export PATH="/usr/local/opt/curl/bin:${PATH}"
Don't forget to relaunch terminal. I kept scratching my head why the exports weren't working until I realized those didn't take effect.
asarkar
on 17 Jul 2020
Don't forget to relaunch terminal.
You can just run the commands in your current session or source ~/.zshrc (or whatever file).
vitorgalvao
on 17 Jul 2020
Related issues
pablopunk
路
3Comments
pendolf
路
4Comments
akashlevy
路
3Comments
orome
路
3Comments
gebing
路
3Comments
Most helpful comment
@mjsteinbaugh Everything @vitorgalvao said is correct, but also consider these 2 things...
We don't recommend folks replacing system dependencies just because 'something isn't working'. Folks should do their research to see what's applicable to their system and what works for them. For example, neither of the lines you posted are needed to address this on 10.15.
This isn't a Homebrew Core problem, it's an upstream problem. Therefore, there will be no fix provided by Homebrew. https://github.com/Homebrew/brew/issues/7667#issuecomment-636427543