Pm2: Certificate Expired

Created on 29 Oct 2018  ·  7Comments  ·  Source: Unitech/pm2

When installing pm2:

[4/5] Linking dependencies...
error https://tgz.pm2.io/gkt-1.0.0.tgz: certificate has expired

Just attempting to connect to the URL:
curl -v https://tgz.pm2.io

* Rebuilt URL to: https://tgz.pm2.io/
*   Trying 163.172.101.189...
* TCP_NODELAY set
* Connected to tgz.pm2.io (163.172.101.189) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

So we cannot install pm2.

picture heisian
👍8

Most helpful comment

@vmarchaud this appears to still be an issue. 

yarn install
yarn install v1.10.1
info No lockfile found.
[1/4] 🔍  Resolving packages...
error An unexpected error occurred: "https://tgz.pm2.io/gkt-1.0.0.tgz: unable to verify the first certificate".

Curl however does seem to work

curl -v https://tgz.pm2.io/gkt-1.0.0.tgz
*   Trying 163.172.101.189...
* TCP_NODELAY set
* Connected to tgz.pm2.io (163.172.101.189) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.pm2.io
*  start date: Jan 16 15:28:43 2018 GMT
*  expire date: Jan 16 15:28:43 2021 GMT
*  subjectAltName: host "tgz.pm2.io" matched cert's "*.pm2.io"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
> GET /gkt-1.0.0.tgz HTTP/1.1
> Host: tgz.pm2.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 30 Oct 2018 00:02:30 GMT
< Content-Type: application/octet-stream
< Content-Length: 260
< Connection: keep-alive
< X-Powered-By: Express
< ETag: W/"104-QFUCsAfzGcP0cXXER0UnMA8qta0"
< Strict-Transport-Security: max-age=0;
<
��J�0���S�lFa��ۿ��"��y�ІN�6)IF��m��g!�pT�|�8    �����7;މ�4��Z%G�$�"��z�1�`�
* Connection #0 to host tgz.pm2.io left intact
�b]%���F�co7S+��'�B^��B]��]�ƭ0Vj5{�A�m�m��a��r�KoHՊ�����VP���e#��.64}Lz��!������5����s(c���F+�{��;Y\ܸ{�%��,N�bJ#�H����:�K
picture squibbleFish on 30 Oct 2018
👍2

All 7 comments

Related to https://github.com/Unitech/pm2/issues/2836

wwallace picture wwallace on 29 Oct 2018

We are deeply sorry for the inconvenience, we fixed the issue and we will work something about to avoid the problem reproducing in the future.

Regards

vmarchaud picture vmarchaud on 29 Oct 2018

@vmarchaud this appears to still be an issue. 

yarn install
yarn install v1.10.1
info No lockfile found.
[1/4] 🔍  Resolving packages...
error An unexpected error occurred: "https://tgz.pm2.io/gkt-1.0.0.tgz: unable to verify the first certificate".

Curl however does seem to work

curl -v https://tgz.pm2.io/gkt-1.0.0.tgz
*   Trying 163.172.101.189...
* TCP_NODELAY set
* Connected to tgz.pm2.io (163.172.101.189) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.pm2.io
*  start date: Jan 16 15:28:43 2018 GMT
*  expire date: Jan 16 15:28:43 2021 GMT
*  subjectAltName: host "tgz.pm2.io" matched cert's "*.pm2.io"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
> GET /gkt-1.0.0.tgz HTTP/1.1
> Host: tgz.pm2.io
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 30 Oct 2018 00:02:30 GMT
< Content-Type: application/octet-stream
< Content-Length: 260
< Connection: keep-alive
< X-Powered-By: Express
< ETag: W/"104-QFUCsAfzGcP0cXXER0UnMA8qta0"
< Strict-Transport-Security: max-age=0;
<
��J�0���S�lFa��ۿ��"��y�ІN�6)IF��m��g!�pT�|�8    �����7;މ�4��Z%G�$�"��z�1�`�
* Connection #0 to host tgz.pm2.io left intact
�b]%���F�co7S+��'�B^��B]��]�ƭ0Vj5{�A�m�m��a��r�KoHՊ�����VP���e#��.64}Lz��!������5����s(c���F+�{��;Y\ܸ{�%��,N�bJ#�H����:�K
squibbleFish picture squibbleFish on 30 Oct 2018
👍2

You should be able to fix this by removing the optional dependency of gkt as seen in this issue:

https://github.com/Unitech/pm2/issues/2917

ekeric13 picture ekeric13 on 30 Oct 2018

Thanks @ekeric13, but this doesn't work for yarn. Same issue, yarn add pm2 --ignore-optional. Which is a yarn issue, but still . . . overall cert issue is still present on yarn add

squibbleFish picture squibbleFish on 30 Oct 2018

Be sure to update your yarn lock even after doing --ignore-optional to make sure you remove the gkt. This fix worked immediately when I tried it before the certificate was even updated so it would be quite surprising if this doesn't work for you.

ekeric13 picture ekeric13 on 30 Oct 2018

Yeah, I had actually killed my yarn.lock file and ran yarn cache clean after we saw this problem. Same issue, so something isn't updated. I can confirm running npm install pm2 works as expected though 🤷‍♂️

squibbleFish picture squibbleFish on 30 Oct 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

phra picture phra  ·  3Comments
waygee picture waygee  ·  4Comments
jubairsaidi picture jubairsaidi  ·  3Comments
rangercyh picture rangercyh  ·  4Comments
FujiHaruka picture FujiHaruka  ·  3Comments