Open-source Languages & Tools for z/OS

 View Only
  • 1.  SSL certificate problem: unable to get local issuer certificate

    Posted 05-20-2024 16:07

    Hi All,

    I am facing some issues with Git and Curl when trying to do some token commands. 

    # git clone https://github.com/BMCDBA/hybrid_communication_proxy.git" href="https://github.com/BMCDBA/hybrid_communication_proxy.git" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git">https://github.com/BMCDBA/hybrid_communication_proxy.git
    Cloning into 'hybrid_communication_proxy'...
    fatal: unable to access 'https://github.com/BMCDBA/hybrid_communication_proxy.git/':" href="https://github.com/BMCDBA/hybrid_communication_proxy.git/%27:" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git/%27:">https://github.com/BMCDBA/hybrid_communication_proxy.git/': error setting certificate file: /opt/anaconda1anaconda2anaconda3/ssl/cacert.pem

    # curl https://www.google.com" href="https://www.google.com" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://www.google.com/">https://www.google.com
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html" href="https://curl.haxx.se/docs/sslcerts.html" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://curl.haxx.se/docs/sslcerts.html">https://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.

    Any Idea on this?

    Thanks,

    Divyanshu



    ------------------------------
    Divyanshu Singh
    MVS system programmer
    BMC Software
    Kanpur IN
    ------------------------------


  • 2.  RE: SSL certificate problem: unable to get local issuer certificate

    ROCKETEER
    Posted 05-21-2024 04:12

    Hi Divyanshu,

    Did you install these packages by z/OS Miniconda?
    Which version of the cURL and Git are installed on your system?

    I think, the reason of the error, the CURL_CA_BUNDLE environment variable is missing or cacert.pem file is missing.

    Check the environment settings by 'env | sort' command if it contains CURL_CA_BUNDLE variable. 
    env | sort
    The environment settings should contain the following variable:
    CURL_CA_BUNDLE=/<path_to_miniconda>/miniconda/envs/<env_name>/etc/ssl/cacert.pem

    if there is no the setting of the CURL_CA_BUNDLE variable, please set that:
    export CURL_CA_BUNDLE=/<some_path_to_ca_bundle>/cacert.pem 

    If the variables are already set, please check that cacert.pem is existing in the directory.

    If you are using the curl 8.3.0  or newer or Git 2.42.0 or newer please check this note:
    Git was using CA certificates from the bin directory and cURL was using CA certificates bundle from OpenSSL package till Open AppDev for Z Version 2.0.5. In the current release, the certificates have been moved to the cert-bundle package. If you have Git and cURL installed in an environment and want to update one of the packages (either Git or cURL), you need to update them both at the same time to avoid mixing up of paths to the certificate bundle on conda activate command.
    https://docs.rocketsoftware.com/bundle/openappdev_ug_20/page/hjj1695210838308.html

    If you are using the curl 8.3.0  or newer or Git 2.42.0 or newer, you need to install the cert-bundle package:
    https://anaconda.org/zoss-appdev/cert-bundle/files

    An alternative way is downloading the CA bundle from cURL web-page:
    https://curl.se/docs/caextract.html
    and setting the CURL_CA_BUNDLE environment variable to the location of cacert.pem file:
    export CURL_CA_BUNDLE=/<some_path_to_ca_bundle>/cacert.pem 

    Thanks,
    Sergei



    ------------------------------
    Sergey Rezepin
    Rocket Software
    ------------------------------



  • 3.  RE: SSL certificate problem: unable to get local issuer certificate

    Posted 05-28-2024 13:38

    Hi Sergei,

    I am using the Rocket open app dev Miniconda. 

    I installed New git and curl inside  - /shrd/minicond/v23/envs/  
    Following version.

    curl               zoss-appdev/zos-z::curl-8.3.0-1 
    git                zoss-appdev/zos-z::git-2.42.0-pl538_1 

    And set these environment variables -

    For git  - export GIT_CA_BUNDLE=/shrd/minicond/v23/envs/git_env/etc/ssl/cacert.pem
    For curl -export CURL_CA_BUNDLE=/shrd/minicond/v23/envs/curl_env/ssl/cacert.pem

    But still I am getting issues with cert-

    # env | grep -i bund
    CURL_CA_BUNDLE=/shrd/minicond/v23/envs/curl_env/ssl/cacert.pem
    GIT_CA_BUNDLE=/shrd/minicond/v23/envs/git_env/etc/ssl/cacert.pem
    # git clone https://github.com/AAAA/bbb_ccc_ddd.git" href="https://github.com/AAAA/bbb_ccc_ddd.git" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/aaaa/bbb_ccc_ddd.git">https://github.com/AAAA/bbb_ccc_ddd.git
    Cloning into 'bbb_ccc_ddd'...
    fatal: unable to access 'https://github.com/" href="https://github.com/BMCDBA/hybrid_communication_proxy.git/%27:" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git/%27:">https://github.com/AAAA/bbb_ccc_ddd.git.git/': error setting certificate file: /opt/anaconda1anaconda2anaconda3/ssl/cacert.pem
    #

    Thanks for any help and responses.

    Divyanshu



    ------------------------------
    Divyanshu Singh
    MVS system programmer
    BMC Software
    Kanpur IN
    ------------------------------



  • 4.  RE: SSL certificate problem: unable to get local issuer certificate

    ROCKETEER
    Posted 05-29-2024 05:12
    Edited by Sergey Rezepin 05-29-2024 05:16

    Hi Divyanshu,

    If you installed the packages by conda, you have to activate the environment, that you are planning to use, for example:
    conda activate git_env

    In this case conda will set up all required environment variables automatically, so you no need to set them manually.
    You can see the environment variables by env | sort command.
    An example of the output of env | sort command:
    ...
    CURL_CA_BUNDLE=/u/user/miniconda/envs/git_env_name/etc/ssl/cacert.pem
    ...
    SSL_CERT_DIR=/u/user/miniconda/envs/git_env_name/ssl/certs
    SSL_CERT_FILE=/u/user/miniconda/envs/git_env_name/ssl/cert.pem

    Actually, git requires GIT_SSL_CAINFO variable, not GIT_CA_BUNDLE, but it should be already set for the installed version of git in the config.

    git config -l

    As result, you will see the settings: 

    http.sslverify=true
    http.sslcainfo=/u/user/miniconda/envs/git_env_name/ssl/cacert.pem

    Please check if it is in the configs. If no, I think the setting GIT_SSL_CAINFO will help.


    Please also check that the dependencies for the packages is installed also:
    conda list
    The package cert-bundle should be in the list.


    If it's not help, you can also try to recreate the environment
    conda create -n git_env_new git -c https://conda.anaconda.org/zoss-appdev --override-channels
    conda activate git_env_new
    conda list
    git clone  https://github.com/AAAA/bbb_ccc_ddd.git
    Conda should resolve all required dependencies and set all of the required environment variables after conda activate git_env_new

    Thanks,
    Sergey



    ------------------------------
    Sergey Rezepin
    Rocket Software
    ------------------------------



  • 5.  RE: SSL certificate problem: unable to get local issuer certificate

    Posted 05-31-2024 11:04

    Hi,

    I am not sure how suddenly conda stopped responding -

    $ export _BPXK_AUTOCVT=ON                                             
    $ export _CEE_RUNOPTS="FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)"            
    $ SHELL=/shrd/minicond/v23/bin/bash                                   
    $ $SHELL                                                              
    bash-5.1$ conda --version                                             
    bash: conda: command not found                                        
    bash-5.1$                                                             

    Any idea?



    ------------------------------
    Divyanshu Singh
    MVS system programmer
    BMC Software
    ------------------------------



  • 6.  RE: SSL certificate problem: unable to get local issuer certificate

    ROCKETEER
    Posted 05-31-2024 11:46

    Hi Divyanshu,

    There is also need to source the conda.sh file (please note that there is a space between dot and path):

    . <miniconda_installation_path>/etc/profile.d/conda.sh

    After that you can run the 'conda activate' to activate the base environment:
    conda activate
    conda --version

    Here is a full guide about the z/OS Miniconda installation:
    https://docs.rocketsoftware.com/bundle/openappdev_ug_20/page/ewu1645822293242.html



    ------------------------------
    Sergey Rezepin
    Rocket Software
    ------------------------------



  • 7.  RE: SSL certificate problem: unable to get local issuer certificate

    Posted 06-27-2024 12:45

    Hello Sergey,

    I think you helped me with the problem, when I did the git config command, I saw the problem:

    # ./git config -l                                                 
    error: cannot run less: EDC5129I No such file or directory.       
    http.sslverify=true                                               
    http.sslcainfo=/shrd/minicond/v23n/envs/git_env/ssl/cacert.pem   

    The directory was pointing to v23n instead of v23, for now I renamed my directory and saw the command works to authenticate.

    Can you please help me know, how we can change the information inside ./git config -l          ?

    Thanks for your help.

    Divyanshu



    ------------------------------
    Divyanshu Singh
    MVS system programmer
    BMC Software
    Kanpur IN
    ------------------------------