invalid peer certificate: UnknownIssuer

[drpdishant]

Just installed tea and facing this error while I try to install any package

tea +openssl.org
error: http (spilt-tea-404)
error sending request for url (https://dist.tea.xyz/openssl.org/darwin/aarch64/versions.txt): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

sh <(curl tea.xyz) +nodejs.org
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8739  100  8739    0     0  14750      0 --:--:-- --:--:-- --:--:-- 14938
error: http (spilt-tea-404)
error sending request for url (https://dist.tea.xyz/unicode.org/darwin/aarch64/versions.txt): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

seems like its not able to validate server certificate against a root certificate from the trust store.
How can I disable ssl check?

[mxcl]

wow. @jhheider ideas?

[mxcl]

so, deno controls this, LMK check their GitHub.

[mxcl]

• Sending fatal alert BadCertificate: invalid certificate: UnknownIssuer denoland/deno#11482
• feat(cli): add DENO_CERT environment variable denoland/deno#6370 (DENO_CERT variable)

[jhheider]

This is interesting. @drpdishant , what OS/platform/distro are you running this under? Interestingly, if I load debian:buster-slim in Docker, and apt remove ca-certificates, I break curl, but not tea. Which makes me think, somewhere in the Deno guts, it's falling back to some well-known paths looking for ca certs, and possibly finding out of date ones.

That said, it doesn't really explain why you can curl tea.xyz. Can you curl dist.tea.xyz? If I can recreate this, it should be possible to strace the run and see what it's trying to execute.

[mxcl]

https://dist.tea.xyz/openssl.org/darwin/aarch64/versions.txt

@jhheider which is mysterious right? How can certs on macOS be broken.

[jhheider]

Oh, yeah. Deeply mysterious. Unless it's extremely out of date. I know the CAs do have big changes periodically. I feel like AWS had one in the last 12 months, maybe.

[drpdishant]

@mxcl @jhheider dist.tea.xyz is accessible in browser but it serves with a different certificate than the actual, probably because all the connection from my machine go through a corporate proxy. I do face this issue when running npm install, and it works after setting env NODE_TLS_REJECT_UNAUTHORIZED to 0.

Definitely it isn't an issue with macOS or ca-certs or even tea cli, skipping the check will work.

[jhheider]

Ahhhhh, yes, a proxy performing the SSL check on your behalf and serving using its certificate would definitely cause that. Hm. Will have to see what options Deno offers for accepting insecure connections.

[drpdishant]

@jhheider If this helps, denoland/deno#11324

[drpdishant]

@jhheider I am able to figure out a workaround using env DENO_CERT, downloaded the ca cert and provided in the env value. it works.

DENO_CERT=dist-tea-xyz.pem tea +openssl.org

[jhheider]

Certainly one workaround. We'll noodle something more user friendly. You won't be the last one behind a corporate proxy.

[mxcl]

One way brew avoided this sort of thing is using curl to do the downloads. Since generally, curl has been configured to work for the user.

[mxcl]

We haven't seen this in a long time, closing as assumed deno is responsible and is fixed.