Join Log in
Score:2
Joel Holmes avatar Ubuntu

CA Certificates Not Recognized

ru flag
Joel Holmes

I've been trying to get CA Certs installed because I'm getting errors when trying to use rosdep init which makes calls to "raw.githubusercontent.com". If I do the same call with wget I'll get the same error:

ERROR: cannot verify raw.githubusercontent.com's certificate, issued by ‘CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.

I have installed ca-certificates. I also tried this on a fresh install and everything worked fine. However, I cannot reinstall on the machine I am on at the moment, is there a way to resolve this some other way?

784
2 + 0
ros
Score:1
bw3u avatar Ubuntu
cn flag
bw3u

I don't have any experience with rosdep but can you try to update your certificates with;

sudo update-ca-certificates -f

If that doesn't work and you sure rosdep is using wget can you try to add this line to your ~/.wgetrc

check_certificate = off

It should ignore certificate errors afterwards. It can be GitHub issue so can't comment on that. I can wget files from raw.githubusercontent.com without any issues tho.

0 + 8
Joel Holmes avatar
ru flag
Joel Holmes
While this solves my wget issue it does not solve the overall problem with certificates. 1. rosdep does not appear to use wget 2. It is still a security concern to have the cert not verified for all wget calls I was hoping to find a broader solution and was using wget as an example.
1
Reply
bw3u avatar
cn flag
bw3u
I can't repro your issue. I can `sudo rosdep init` also can `update rosdep`. Which `ca-certificates` version is installed on your system?
0
Reply
Joel Holmes avatar
ru flag
Joel Holmes
```sudo dpkg -s ca-certificates | grep Version Version: 20210119~20.04.1```
0
Reply
bw3u avatar
cn flag
bw3u
Hmm seems you are using up to date version. Have you tried reinstalling `ca-certificates`? If not can you try reinstalling with `sudo apt-get install --reinstall ca-certificates`, after that can you confirm `DigiCert` certificates are located in `/etc/ssl/certs`. Here is a output from my system: [https://pastebin.ubuntu.com/p/jcCG29xt6w/](https://pastebin.ubuntu.com/p/jcCG29xt6w/)
0
Reply
Joel Holmes avatar
ru flag
Joel Holmes
Yes I've tried that as well and see multiple certs with DigiCert in the directory. ```ls /etc/ssl/certs/ | grep DigiCert DigiCert_Assured_ID_Root_CA.pem DigiCert_Assured_ID_Root_G2.pem DigiCert_Assured_ID_Root_G3.pem DigiCert_Global_Root_CA.pem DigiCert_Global_Root_G2.pem DigiCert_Global_Root_G3.pem DigiCert_High_Assurance_EV_Root_CA.pem DigiCert_Trusted_Root_G4.pem ```
0
Reply
bw3u avatar
cn flag
bw3u
Can you try to wget with `--ca-directory=/etc/ssl/certs` param?
1
Reply
Joel Holmes avatar
ru flag
Joel Holmes
Great! So that worked. Now is there a env setting that I have wrong that other services aren't looking there for certs?
1
Reply
bw3u avatar
cn flag
bw3u
Afaik there is no env var for that. `update-ca-certificates --fresh` should do the trick. You can try adding `ca_directory=/etc/ssl/certs` to your wgetrc in your home dir as well as in `/etc/wgetrc`. Maybe some app you've installed before broke something can you check it?
0
Reply
Score:1
Joel Holmes avatar Ubuntu
ru flag
Joel Holmes

In the end adding this env var to my ~.bashrc file made the ROS calls work:

export SSL_CERT_DIR=/etc/ssl/certs
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.