0

I just updated to opam 2, on a very old MacBook which I cannot update (running OS X 10.6.8), and which is missing some important packages related to certificate validation (and due to missing tools, I cannot even update Homebrew, because it requires certification... kind of a circular problem).

I would like to update opam without checking certificates, since otherwise I get the following error:

<><> Updating package repositories ><><><><><><><><><><><><><><><><><><><><>   
[ERROR] Could not update repository "default": 
OpamDownload.Download_fail(_, "Download command failed: 
  \"/usr/local/bin/wget --content-disposition -t 3 -O 
    /private/tmp/opam-17621-5a61c5/index.tar.gz.part
    https://opam.ocaml.org/1.2.2/index.tar.gz -U opam/2.0.0\"
  exited with code 5 
  \"ERROR: cannot verify opam.ocaml.org's certificate, issued by
  'CN=Let\\'s Encrypt Authority X3,O=Let\\'s Encrypt,C=US':\"")

I was just able to upgrade from 1.2.2 to opam 2.0.0, but now I cannot do opam update. And without it, there's not much I can do.

Is there a way to pass option --no-check-certificate to the wget command used by opam without having to recompile it myself?

anol
  • 8,264
  • 3
  • 34
  • 78

1 Answers1

1

Fix your wget instead. Looks like it's missing a recent CA bundle.

First, check where it looks for the bundle -

$ strace wget -O /dev/null https://github.com 2>&1 | grep cert

read(3, "eting an end user certificate as"..., 4096) = 2806
read(5, "eting an end user certificate as"..., 4096) = 2806
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)

Then copy Mozilla's .pem bundle to match the expected .pem path.

If you're on a system that lacks strace or there's simply no mention of a CA bundle location in the output, then try creating a .wgetrc, and add

ca_certificate = /path/to/your/ca-bundle.pem

Save as $HOME/.wgetrc.

wget should then be able to validate the Let's Encrypt cert.

More on .wgetrc at http://gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html

evilSnobu
  • 24,582
  • 8
  • 41
  • 71
  • Unfortunately there's no `strace` in my Mac OS X. According to [this question](https://stackoverflow.com/questions/1925978/equivalent-of-strace-feopen-command-on-mac-os-x), the equivalent should be `sudo dtruss -f -t open wget https://github.com`, but it only shows `/usr/local/opt/openssl/lib/libssl.1.0.0.dylib` and a few similar files, and never tries to open a `cert.pem`. Also, `/usr/lib/ssl` does not exist. Anyway, I'll try to find where it should be put instead. – anol Jul 11 '19 at 08:29
  • 1
    Try creating a `.wgetrc`, and add `ca_certificate = /path/to/your/ca.pem`. You should drop that in `$HOME/.wgetrc`. More at https://www.gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html – evilSnobu Jul 11 '19 at 08:34
  • 1
    Perfect! It works indeed, better and faster than trying to install the certificate using the methods I found elsewhere (and which in the end did not work). I'd suggest putting the `.wgetrc` suggestion in the answer, to make it more visible, since that's the one which worked for me. – anol Jul 11 '19 at 08:43