Rustup: Unable to use rust behind enterprise firewall

Created on 1 Aug 2017 · 3Comments · Source: rust-lang/rustup

The CA Certificates can not be veified (Perhaps due to the MITM enterprise grade proxy/firewall ):
This makes it impossible to use rust[up] at all in this scenario.

This Issue is related to #1021 which adresses the problem at installation time (Open since March) and #942 which is somehow already closed without being fixed. Rustup does still not honor ~/.curlrc and the ENVIRONMENT section of curl has no option to set the --unsecure option. Also setting alias curl="curl -k" does not solve the problem

The Error message generated by rustup:

info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'                                 
error: could not download file from 'https://static.rust-lang.org/dist/channel-rust-stable.toml.sha2
56' to '/home/my_user/.rustup/tmp/22z6a15d3w1w6mph_file'                                            
info: caused by: error during download                                                              
info: caused by: [60] Peer certificate cannot be authenticated with given CA certificates (SSL certificate problem: unable to get local issuer certificate)

It would be great if there was a command line option to ignore certificate validation.

Source

ghost

Most helpful comment

I was now able to fix this by using export SSL_CERT_FILE=/etc/ssl/ca-bundle.pem

ghost on 1 Aug 2017

👍3

All 3 comments

Using strace i found out, that the paths scanned for certificates do not match the paths on my system (Open Suse Linux 42.2):

24292 open("/buildslave/target/x86_64-unknown-linux-gnu/openssl/openssl-install/1.0.2k/ssl/openssl.cnf", O_RDONLY) = -1 ENOENT (No such file or directory)                            
24292 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 4                                         
24292 close(4)                          = 0  
24292 stat("/var/ssl", 0x7ffcb801a7b0)  = -1 ENOENT (No such file or directory)            
24292 stat("/usr/share/ssl", {st_mode=S_IFDIR|0755, st_size=49, ...}) = 0                  
24292 stat("/usr/local/ssl", 0x7ffcb801a7b0) = -1 ENOENT (No such file or directory)       
24292 stat("/usr/local/openssl", 0x7ffcb801a7b0) = -1 ENOENT (No such file or directory)   
24292 stat("/usr/local/share", {st_mode=S_IFDIR|0755, st_size=6, ...}) = 0                 
24292 stat("/usr/lib/ssl", 0x7ffcb801a7b0) = -1 ENOENT (No such file or directory)         
24292 stat("/usr/ssl", 0x7ffcb801a7b0)  = -1 ENOENT (No such file or directory)            
24292 stat("/etc/openssl", 0x7ffcb801a7b0) = -1 ENOENT (No such file or directory)         
24292 stat("/etc/pki/tls", 0x7ffcb801a7b0) = -1 ENOENT (No such file or directory)         
24292 stat("/etc/ssl", {st_mode=S_IFDIR|0755, st_size=70, ...}) = 0                        
24292 stat("/data/data/com.termux/files/usr/etc/tls", 0x7ffcb801a7b0) = -1 EACCES (Permission denied)                                                                                 
24292 stat("/usr/share/ssl/cert.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                                         
24292 stat("/usr/share/ssl/certs.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                                        
24292 stat("/usr/share/ssl/certs/ca-certificates.crt", 0x7ffcb801a870) = -1 EACCES (Permission denied)                                                                                
24292 stat("/usr/share/ssl/certs/ca-root-nss.crt", 0x7ffcb801a870) = -1 EACCES (Permission denied)                                                                                    
24292 stat("/usr/share/ssl/certs/ca-bundle.crt", 0x7ffcb801a870) = -1 EACCES (Permission denied)                                                                                      
24292 stat("/usr/share/ssl/certs", {st_mode=S_IFDIR|0700, st_size=6, ...}) = 0             
24292 stat("/usr/local/share/cert.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                                       
24292 stat("/usr/local/share/certs.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                                      
24292 stat("/usr/local/share/certs/ca-certificates.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                      
24292 stat("/usr/local/share/certs/ca-root-nss.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                          
24292 stat("/usr/local/share/certs/ca-bundle.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                            
24292 stat("/etc/ssl/cert.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)    
24292 stat("/etc/ssl/certs.pem", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)   
24292 stat("/etc/ssl/certs/ca-certificates.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                              
24292 stat("/etc/ssl/certs/ca-root-nss.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)                                                                                  
24292 stat("/etc/ssl/certs/ca-bundle.crt", 0x7ffcb801a870) = -1 ENOENT (No such file or directory)

The lookup for buildslave/target/x86_64-unknown-linux-gnu/openssl/openssl-install/1.0.2k/ssl/openssl.cnf should propably be changed to /etc/ssl/openssl.cnf
An additional check for /etc/ssl/ca-bundle.pem would solve the problem on my system.

ghost on 1 Aug 2017

I was now able to fix this by using export SSL_CERT_FILE=/etc/ssl/ca-bundle.pem

ghost on 1 Aug 2017

👍3

On windows behind corp firewall getting same ssl issues with curl, setting up https_proxy and RUSTUP_USE_REQWEST=1 to use new reqwest backend fixed the issue for me.
Hope it will help other people.