possibly an expired cert

ipatch's picture
ipatch
Fri, 10/01/2021 - 21:45
Forums: 
Installation and Building

i've working with building occ from source the past couple of days and i believe one of the ssl certs has expired, but not sure if the problem is something local to my computer or network. either way running the below command

brew install opencascade -s -v

is giving me the following error,

==> Downloading https://git.dev.opencascade.org/gitweb/?p=occt.git;a=snapshot;h=refs/tags/V7_5_3;sf=tgz
/usr/bin/curl --disable --cookie-jar /dev/null --globoff --show-error --user-agent Homebrew/3.2.14-45-gd6eb9ec\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 10.14.6\)\ curl/7.54.0 --header Accept-Language:\ en --fail --retry 3 --location --remote-time --output /Users/capin/Library/Caches/Homebrew/downloads/d47a2115fb55050172087ba7e3835e1a853c5379f239cd9f0ddfabbbfe9ec1b0--p=occt.git\;a=snapshot\;h=refs.incomplete https://git.dev.opencascade.org/gitweb/\?p=occt.git\;a=snapshot\;h=refs/tags/V7_5_3\;sf=tgz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: opencascade: Failed to download resource "opencascade"
Download failed: https://git.dev.opencascade.org/gitweb/?p=occt.git;a=snapshot;h=refs/tags/V7_5_3;sf=tgz

and...

openssl s_client -connect dev.opencascade.org:443

yields

CONNECTED(00000006)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=opencascade.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate

... [truncated]

  Start Time: 1633113802
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
---
closed

saw something about letsencrypt having expired certs a while back, not sure if this could be possibly related or not, just thought i'd share.

Kirill Gavrilov's picture
Kirill Gavrilov
Sat, 10/02/2021 - 22:03

The problem description looks related to a regular tragedy with root certificate expiration happened on 30th September shooting several old platforms and some buggy SSL implementations.

ipatch's picture
ipatch
Mon, 10/04/2021 - 19:32

you are correct.

and it appears the homebrew maintainers have implemented a workaround/fix for this issue.

https://github.com/Homebrew/discussions/discussions/2234#discussioncomme...