Opened 7 years ago

Closed 6 years ago

Last modified 5 years ago

#474 closed defect (fixed)

Outdated CA Certificates

Reported by: maphew Owned by: osgeo4w-dev@…
Priority: major Component: Package
Version: Keywords: curl, openssl
Cc:

Description

I believe either pkg-curl, or more likely pkg-openssl have outdated CA Certificates, because downloading new certificates and pointing curl at them resolves error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Demonstrate error:

C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Demonstrate workaround:

C:\OSGeo4W>curl http://curl.haxx.se/ca/cacert.pem -o ca-bundle.crt              
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                 Dload  Upload   Total   Spent    Left  Speed   
100  250k  100  250k    0     0   178k      0  0:00:01  0:00:01 --:--:--  255k  

C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py --cacert ca-bundle.crt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1379k  100 1379k    0     0   319k      0  0:00:04  0:00:04 --:--:--  701k

I'm not sure what the appropriate is folder to put the updated ca-bandle.crt in so the problem is fixed permanently. There is C:\OSGeo4W\apps\Qt4\certs but something like etc/pki/tls... or apps/openssl looks more "system" and not qt-app specific.

Sources:

Change History (5)

comment:1 by jef, 6 years ago

Resolution: fixed
Status: newclosed

pip is now packaged as python-pip

comment:2 by rzoller, 5 years ago

It seems that there are still issues with this, since the issue mentioned here with pip was only a symptom of outdated CA certificates, and it looks like the certificates haven't actually been updated.

As suggested in this recent gdal-dev thread, probably the best solution would be to build libcurl with SChannel support instead of OpenSSL.

Btw, is osgeo4w still being actively developed? The only source code I found has its last commit 17 months ago...

comment:3 by jef, 5 years ago

The installer works - no need to change it - so so need to touch the svn. The work is maintaining the packages.

comment:4 by rzoller, 5 years ago

Wow, thanks for the quick reply! Do you happen to know where I would find the source code for pkg-curl?

Note: See TracTickets for help on using tickets.