Original Message:
Sent: 05-30-2024 08:23
From: Divyanshu Singh
Subject: SSL certificate problem: unable to get local issuer certificate
Hi,
I am not sure how suddenly conda stopped responding -
$ export _BPXK_AUTOCVT=ON
$ export _CEE_RUNOPTS="FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)"
$ SHELL=/shrd/minicond/v23/bin/bash
$ $SHELL
bash-5.1$ conda --version
bash: conda: command not found
bash-5.1$
Any idea?
------------------------------
Divyanshu Singh
MVS system programmer
BMC Software
Original Message:
Sent: 05-29-2024 05:11
From: Sergey Rezepin
Subject: SSL certificate problem: unable to get local issuer certificate
Hi Divyanshu,
If you installed the packages by conda, you have to activate the environment, that you are planning to use, for example:
conda activate git_env
In this case conda will set up all required environment variables automatically, so you no need to set them manually.
You can see the environment variables by env | sort
command.
An example of the output of env | sort command:
...
CURL_CA_BUNDLE=/u/user/miniconda/envs/git_env_name/etc/ssl/cacert.pem
...
SSL_CERT_DIR=/u/user/miniconda/envs/git_env_name/ssl/certs
SSL_CERT_FILE=/u/user/miniconda/envs/git_env_name/ssl/cert.pem
Actually, git requires GIT_SSL_CAINFO variable, not GIT_CA_BUNDLE, but it should be already set for the installed version of git in the config.
As result, you will see the settings:
http.sslverify=true
http.sslcainfo=/u/user/miniconda/envs/git_env_name/ssl/cacert.pem
|
Please check if it is in the configs. If no, I think the setting GIT_SSL_CAINFO will help.
Please also check that the dependencies for the packages is installed also:
conda list
The package cert-bundle
should be in the list.
If it's not help, you can also try to recreate the environment
conda create -n git_env_new git -c https://conda.anaconda.org/zoss-appdev --override-channels
conda activate git_env_new
conda list
git clone https://github.com/AAAA/bbb_ccc_ddd.git
Conda should resolve all required dependencies and set all of the required environment variables after conda activate git_env_new
Thanks,
Sergey
------------------------------
Sergey Rezepin
Rocket Software
Original Message:
Sent: 05-27-2024 09:42
From: Divyanshu Singh
Subject: SSL certificate problem: unable to get local issuer certificate
Hi Sergei,
I am using the Rocket open app dev Miniconda.
I installed New git and curl inside - /shrd/minicond/v23/envs/
Following version.
curl zoss-appdev/zos-z::curl-8.3.0-1
git zoss-appdev/zos-z::git-2.42.0-pl538_1
And set these environment variables -
For git - export GIT_CA_BUNDLE=/shrd/minicond/v23/envs/git_env/etc/ssl/cacert.pem
For curl -export CURL_CA_BUNDLE=/shrd/minicond/v23/envs/curl_env/ssl/cacert.pem
But still I am getting issues with cert-
# env | grep -i bund
CURL_CA_BUNDLE=/shrd/minicond/v23/envs/curl_env/ssl/cacert.pem
GIT_CA_BUNDLE=/shrd/minicond/v23/envs/git_env/etc/ssl/cacert.pem
# git clone https://github.com/AAAA/bbb_ccc_ddd.git" href="https://github.com/AAAA/bbb_ccc_ddd.git" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/aaaa/bbb_ccc_ddd.git">https://github.com/AAAA/bbb_ccc_ddd.git
Cloning into 'bbb_ccc_ddd'...
fatal: unable to access 'https://github.com/" href="https://github.com/BMCDBA/hybrid_communication_proxy.git/%27:" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git/%27:">https://github.com/AAAA/bbb_ccc_ddd.git.git/': error setting certificate file: /opt/anaconda1anaconda2anaconda3/ssl/cacert.pem
#
Thanks for any help and responses.
Divyanshu
------------------------------
Divyanshu Singh
MVS system programmer
BMC Software
Kanpur IN
Original Message:
Sent: 05-21-2024 04:11
From: Sergey Rezepin
Subject: SSL certificate problem: unable to get local issuer certificate
Hi Divyanshu,
Did you install these packages by z/OS Miniconda?
Which version of the cURL and Git are installed on your system?
I think, the reason of the error, the CURL_CA_BUNDLE environment variable is missing or cacert.pem file is missing.
Check the environment settings by 'env | sort' command if it contains CURL_CA_BUNDLE variable.
env | sort
The environment settings should contain the following variable:
CURL_CA_BUNDLE=/<path_to_miniconda>/miniconda/envs/<env_name>/etc/ssl/cacert.pem
if there is no the setting of the CURL_CA_BUNDLE variable, please set that:
export CURL_CA_BUNDLE=/<some_path_to_ca_bundle>/cacert.pem
If the variables are already set, please check that cacert.pem is existing in the directory.
If you are using the curl 8.3.0 or newer or Git 2.42.0 or newer please check this note:
Git was using CA certificates from the bin directory and cURL
was using CA certificates bundle from OpenSSL
package till Open AppDev for Z Version 2.0.5. In the current release, the certificates have been moved to the cert-bundle
package. If you have Git
and cURL
installed in an environment and want to update one of the packages (either Git
or cURL
), you need to update them both at the same time to avoid mixing up of paths to the certificate bundle on conda activate command.
https://docs.rocketsoftware.com/bundle/openappdev_ug_20/page/hjj1695210838308.html
If you are using the curl 8.3.0 or newer or Git 2.42.0 or newer, you need to install the cert-bundle
package:
https://anaconda.org/zoss-appdev/cert-bundle/files
An alternative way is downloading the CA bundle from cURL web-page:
https://curl.se/docs/caextract.html
and setting the CURL_CA_BUNDLE environment variable to the location of cacert.pem file:
export CURL_CA_BUNDLE=/<some_path_to_ca_bundle>/cacert.pem
Thanks,
Sergei
------------------------------
Sergey Rezepin
Rocket Software
Original Message:
Sent: 05-20-2024 15:46
From: Divyanshu Singh
Subject: SSL certificate problem: unable to get local issuer certificate
Hi All,
I am facing some issues with Git and Curl when trying to do some token commands.
# git clone https://github.com/BMCDBA/hybrid_communication_proxy.git" href="https://github.com/BMCDBA/hybrid_communication_proxy.git" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git">https://github.com/BMCDBA/hybrid_communication_proxy.git
Cloning into 'hybrid_communication_proxy'...
fatal: unable to access 'https://github.com/BMCDBA/hybrid_communication_proxy.git/':" href="https://github.com/BMCDBA/hybrid_communication_proxy.git/%27:" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://github.com/bmcdba/hybrid_communication_proxy.git/%27:">https://github.com/BMCDBA/hybrid_communication_proxy.git/': error setting certificate file: /opt/anaconda1anaconda2anaconda3/ssl/cacert.pem
# curl https://www.google.com" href="https://www.google.com" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://www.google.com/">https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html" href="https://curl.haxx.se/docs/sslcerts.html" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://curl.haxx.se/docs/sslcerts.html">https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Any Idea on this?
Thanks,
Divyanshu
------------------------------
Divyanshu Singh
MVS system programmer
BMC Software
Kanpur IN
------------------------------