Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NetCDF 4.9.2: SSL peer certificate or SSH remote key was not OK #2705

Closed
Alexander-Barth opened this issue May 30, 2023 · 3 comments
Closed

NetCDF 4.9.2: SSL peer certificate or SSH remote key was not OK #2705

Alexander-Barth opened this issue May 30, 2023 · 3 comments
Assignees
@DennisHeimbigner @WardF
Milestone
4.9.3

Comments

@Alexander-Barth
Copy link
Contributor

Unfortunately, the issue described here resurface again once updating to netCDF 4.9.2.

If you recall, for the libcurl used in the julia ecosystem, we need to explicitly declare the path for the CA certificates.
Previously, we used private function NC_rcfile_insert which does not work anymore in 4.9.2 but in the latest version we have the new public function nc_set_rc instead and call them with the function argument HTTP.SSL.CAINFO and the path
"/etc/ssl/certs/ca-certificates.crt". This files does indeed exists on my system and seems to be the correct one to use:

 ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 190243 Feb 13 16:59 /etc/ssl/certs/ca-certificates.crt

When accessing a HTTPS opendap resource, I get the following error:

Error:curl error: SSL peer certificate or SSH remote key was not OK
curl error details: 
Warning:oc_open: Could not read url

This error occurs at the call of nc_open using the URL https://rda.ucar.edu/thredds/dodsC/files/g/ds084.1/2018/20181231/gfs.0p25.2018123118.f003.grib2 (accroding to my web browser the certificate is valid).

With the call to nc_get_rc I get indeed to correct path (/etc/ssl/certs/ca-certificates.crt).

Surprisingly the error persists if I create a file ~/.ncrc with the content:

$ cat .ncrc
HTTP.SSL.CAINFO=/etc/ssl/certs/ca-certificates.crt

I am using Ubuntu 22.04.2 and NetCDF 4.9.2 is compiled with gcc 5.2.
@Alexander-Barth Alexander-Barth mentioned this issue May 30, 2023
Merged
@WardF WardF added this to the 4.9.3 milestone May 30, 2023
@WardF
Copy link
Member

WardF commented May 30, 2023

I'll look into this, @DennisHeimbigner does anything immediately leap out at you?

@DennisHeimbigner
Copy link
Collaborator

two comments:

  1. try this command: 'chmod go-rwx /etc/ssl/certs/ca-certificates.crt' then try again.
  2. Do you have this PR installed: Fix handling of CURLOPT_CAINFO and CURLOPT_CAPATH #2690

@Alexander-Barth
Copy link
Contributor Author

  1. 'chmod go-rwx /etc/ssl/certs/ca-certificates.crt

I get the error from the julia package NetworkOptions: "/etc/ssl/certs/ca-certificates.crt": Permission denied

Also command line curl does not work anymore after this change.

$ curl https://www.github.com
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

I reverted this change.
The patch in point 2 seems to work. Thanks!

@Alexander-Barth Alexander-Barth mentioned this issue May 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DennisHeimbigner DennisHeimbigner

@WardF WardF

Labels
None yet
Projects
None yet
Milestone
4.9.3
Development

No branches or pull requests
3 participants
@DennisHeimbigner @WardF @Alexander-Barth