[ARM] GitError The SSL certificate is invalid from nightlies.

[Ismael-VC]

I'm using the default ARM binary from the downloads page, related issues:

• Many automated builds/tests are broken with a libgit2 ECERTIFICATE error #13399
• Travis error: ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid) #13425

Arch Linux [running on Android via Linux Deploy]
android@localhost ~ % julia
WARNING: unable to determine host cpu name.
               _
   _       _ _(_)_     |  A fresh approach to technical computing
  (_)     | (_) (_)    |  Documentation: http://docs.julialang.org
   _ _   _| |_  __ _   |  Type "?help" for help.
  | | | | | | |/ _' |  |
  | | |_| | | | (_| |  |  Version 0.5.0-dev+2440 (2016-02-01 02:22 UTC)
 _/ |\__'_|_|_|\__'_|  |  Commit 2bb94d6 (17 days old master)
|__/                   |  arm-linux-gnueabihf

julia> versioninfo()
Julia Version 0.5.0-dev+2440
Commit 2bb94d6 (2016-02-01 02:22 UTC)
Platform Info:
  System: Linux (arm-linux-gnueabihf)
  CPU: ARMv7 Processor rev 3 (v7l)
  WORD_SIZE: 32
  BLAS: libopenblas (NO_AFFINITY ARMV7)
  LAPACK: libopenblas
  LIBM: libm
  LLVM: libLLVM-3.7.1

julia> Pkg.init()
INFO: Initializing package repository /home/android/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

[ViralBShah]

Is this error arm only?

[tkelman]

We could add additional default locations to test, ref #13399 (comment) and

julia/Makefile

Lines 458 to 461 in fabec7b

	# We need to bundle ca certs on linux now that we're using libgit2 with ssl
	ifeq ($(shell [ -e $(shell openssl version -d | cut -d '"' -f 2)/cert.pem ] && echo exists),exists)
	-cp $(shell openssl version -d | cut -d '"' -f 2)/cert.pem $(DESTDIR)$(datarootdir)/julia/
	endif

and

julia/base/libgit2.jl

Line 515 in fabec7b

cert_file = abspath(ccall(:jl_get_julia_home, Any, ()),Base.DATAROOTDIR,"julia","cert.pem")

[Ismael-VC]

Ok I didn't pay attention carefully, this #13399 (comment) fixes this issue:

julia> LibGit2.set_ssl_cert_locations("/etc/ssl/certs/ca-certificates.crt")
0

julia> Pkg.init()
INFO: Initializing package repository /home/android/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl

[Ismael-VC]

But I need to put it in my .juliarc.jl, after restart:

android@localhost ~ % julia
WARNING: unable to determine host cpu name.
               _
   _       _ _(_)_     |  A fresh approach to technical computing
  (_)     | (_) (_)    |  Documentation: http://docs.julialang.org
   _ _   _| |_  __ _   |  Type "?help" for help.
  | | | | | | |/ _' |  |
  | | |_| | | | (_| |  |  Version 0.5.0-dev+2440 (2016-02-01 02:22 UTC)
 _/ |\__'_|_|_|\__'_|  |  Commit 2bb94d6 (17 days old master)
|__/                   |  arm-linux-gnueabihf

julia> Pkg.update()
INFO: Updating METADATA...
WARNING: fetch: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)
INFO: Computing changes...
INFO: No packages to install, update or remove

[tkelman]

Can someone test with a recent nightly https://status.julialang.org/download/linux-arm and see if #15485 fixed this?

[StefanKarpinski]

@Ismael-VC, can you test this out?

[Ismael-VC]

Yes, I'm on it.

[Ismael-VC]

The issue still persists, tested on a Raspberry Pi2 with the latest available binary:

ismaelvc@toybox ~ % julia-1630a3d430/bin/julia
WARNING: unable to determine host cpu name.
               _
   _       _ _(_)_     |  A fresh approach to technical computing
  (_)     | (_) (_)    |  Documentation: http://docs.julialang.org
   _ _   _| |_  __ _   |  Type "?help" for help.
  | | | | | | |/ _' |  |
  | | |_| | | | (_| |  |  Version 0.5.0-dev+3799 (2016-04-29 17:15 UTC)
 _/ |\__'_|_|_|\__'_|  |  Commit 1630a3d* (0 days old master)
|__/                   |  arm-linux-gnueabihf

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

julia> LibGit2.set_ssl_cert_locations("/etc/ssl/certs/ca-certificates.crt")
0

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl

julia> 

[Ismael-VC]

ismaelvc@toybox ~ % julia-1630a3d430/bin/julia
WARNING: unable to determine host cpu name.
               _
   _       _ _(_)_     |  A fresh approach to technical computing
  (_)     | (_) (_)    |  Documentation: http://docs.julialang.org
   _ _   _| |_  __ _   |  Type "?help" for help.
  | | | | | | |/ _' |  |
  | | |_| | | | (_| |  |  Version 0.5.0-dev+3799 (2016-04-29 17:15 UTC)
 _/ |\__'_|_|_|\__'_|  |  Commit 1630a3d* (0 days old master)
|__/                   |  arm-linux-gnueabihf

shell> rm -rf ~/.julia 

shell> cat ~/.juliarc.jl
ENV["PYTHON"] = ""
ENV["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt"

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

[Ismael-VC]

shell> cat ~/.juliarc.jl
ENV["PYTHON"] = ""
# ENV["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt"
ENV["SSL_CERT_DIR"] = "/etc/ssl/certs"

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

[tkelman]

Thanks for testing! So either libgit2 upstream or our bindings aren't reading from the expected env var (or maybe they're doing so but before juliarc runs), but the api in our bindings for setting a location does work. 3 options here:

1. Document the workaround and call that acceptable for the time being
2. Reformat or replace the arm buildbot with a centos based setup that matches what we need to do on x86 buildbots.
3. Find the right additional paths for the currently ubuntu based arm buildbot to bundle its cert files during make binary-dist

[Ismael-VC]

Using the shell export does work!

Sorry, this doesn't work either:

ismaelvc@toybox ~ % julia-1630a3d430/bin/julia -q
WARNING: unable to determine host cpu name.
shell> cat ~/.juliarc.jl
ENV["PYTHON"] = ""
# ENV["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt"
# ENV["SSL_CERT_DIR"] = "/etc/ssl/certs/"

shell> rm -rf ~/.julia

shell> export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

[tkelman]

@wildart any ideas about the environment variable part of this?

@ViralBShah how does scaleway work, what's the oldest possible distro we could provision if we want to do option 2 above?

[Ismael-VC]

Ok, I have done more tests and it works using both SSL_CET_* variables, but only if I export them with my shell (zsh), either via the zsh REPL or in the .zshrc config file prior to starting Julia, but it doesn't work if I define the same variables in the .juliarc.jl using ENV or run, even if they do show up as being defined for the Julia process. So I think it's a timing issue?

Works:

ismaelvc@toybox ~ % rm -rf ~/.julia
ismaelvc@toybox ~ % export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt              
ismaelvc@toybox ~ % julia-1630a3d430/bin/julia -q
WARNING: unable to determine host cpu name.
julia> ENV["SSL_CERT_FILE"]
"/etc/ssl/certs/ca-certificates.crt"

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl

julia> 

Doesn't:

ismaelvc@toybox ~ % rm -rf ~/.julia
ismaelvc@toybox ~ % echo 'ENV["SSL_CERT_FILE"] = "/etc/ssl/certs/ca-certificates.crt"'           
ismaelvc@toybox ~ % julia-1630a3d430/bin/julia -q
WARNING: unable to determine host cpu name.
julia> ENV["SSL_CERT_FILE"]
"/etc/ssl/certs/ca-certificates.crt"

julia> Pkg.init()
INFO: Initializing package repository /home/ismaelvc/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)

julia> 

[wildart]

Setting SSL_CERT_ variables in .juliarc.jl does not work because libgit2 initialized prior to evaluating this file. I am quite surprised that setting shell environmental variable does not work.

@Ismael-VC Can you look at strace output if certificate file is loaded or referenced?

[Ismael-VC]

@wildart I will test with strace and also I'll ask others to test on their Pis just in case.

[Ismael-VC]

I am quite surprised that setting shell environmental variable does not work.

Just to be clear, this works, but only if I set the env variable with zsh (in my case), be it via an export or adding the export to my .zshrc and sourcing the file, prior to starting up Julia.

But not when setting he variable from within Julia, even if I use run(export .....).

[wildart]

If you want to use .juliarc.jl, the only choice is LibGit2.set_ssl_cert_locations.

[PallHaraldsson]

"vtjnash removed the arm label", remove then also from issue title (or close if no longer an issue..?)

[tkelman]

@PallHaraldsson that type of comment on a dormant issue doesn't help anything.

This is a consequence of how binaries are built. You need a particular setup to actually get binaries that work across multiple distributions. Our arm (and now power) buildbots are not set up in this way.