Recent OpenSSL changes and CA certs

Blair Zajac blair at orcaware.com
Wed Oct 13 05:40:02 UTC 2021


+jonesc at macports.org

wget also fails after upgrading openssl:

$ wget https://registry.npmjs.org/npm
--2021-10-12 18:21:00--  https://registry.npmjs.org/npm
Resolving registry.npmjs.org (registry.npmjs.org)... 2606:4700::6810:1323, 2606:4700::6810:1923, 2606:4700::6810:1723, ...
Connecting to registry.npmjs.org (registry.npmjs.org)|2606:4700::6810:1323|:443... connected.
ERROR: cannot verify registry.npmjs.org's certificate, issued by ‘CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US’:
  Unable to locally verify the issuer's authority.
To connect to registry.npmjs.org insecurely, use `--no-check-certificate’.

> On Oct 12, 2021, at 10:13 PM, Aaron Madlon-Kay <amake at macports.org> wrote:
> 
> Forget all that stuff I mentioned about rbenv and ruby-build. I can
> reproduce this with the ruby30 port:
> 
> % /opt/local/bin/ruby3.0 -r net/http -e
> 'Net::HTTP.get(URI("https://www.apple.com"))'
> /opt/local/lib/ruby3.0/3.0.0/net/protocol.rb:46:in `connect_nonblock':
> SSL_connect returned=1 errno=0 state=error: certificate verify failed
> (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
>        from /opt/local/lib/ruby3.0/3.0.0/net/protocol.rb:46:in
> `ssl_socket_connect'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:1038:in `connect'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:970:in `do_start'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:959:in `start'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:621:in `start'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:496:in `get_response'
>        from /opt/local/lib/ruby3.0/3.0.0/net/http.rb:467:in `get'
>        from -e:1:in `<main>'
> 
> When working correctly, the above command will exit with no message.
> 
> -Aaron
> 



More information about the macports-dev mailing list