opm with/without https
91 views
Skip to first unread message
Nelson, Erik - 2
Aug 11, 2020, 5:00:40 PM8/11/20
to openre...@googlegroups.com
It's been some time since I upgraded openresty. My install script sets
download_server=http://opm.openresty.org
HTTP, not HTTPS as described in https://opm.openresty.org/docs#download_server because I have trouble getting curl to authenticate the ssl connection.
This has always worked for me over the years, but this time I get an error like:
opm install duhoobo/lua-resty-smtp
* Fetching duhoobo/lua-resty-smtp
ERROR: unexpected server response status code for URL "http://opm.openresty.org/api/pkg/fetch?account=duhoobo&name=lua-resty-smtp&op=&version=": 301
Has something changed about opm and using the HTTP endpoint?
I tested with the default, and end up with a different error
**********************
opm install duhoobo/lua-resty-smtp
* Fetching duhoobo/lua-resty-smtp
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.10.1)' 'https://opm.openresty.org/api/pkg/fetch?account=duhoobo&name=lua-resty-smtp&op=&version='"
*********************************
After a bit of research, it seemed like pointing to my company cert bundle might help, like
export SSL_CERT_FILE=/path/to/tls-ca-bundle.pem
but that didn't change the error.
What am I missing here?
Thanks
Erik
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
download_server=http://opm.openresty.org
HTTP, not HTTPS as described in https://opm.openresty.org/docs#download_server because I have trouble getting curl to authenticate the ssl connection.
This has always worked for me over the years, but this time I get an error like:
opm install duhoobo/lua-resty-smtp
* Fetching duhoobo/lua-resty-smtp
ERROR: unexpected server response status code for URL "http://opm.openresty.org/api/pkg/fetch?account=duhoobo&name=lua-resty-smtp&op=&version=": 301
Has something changed about opm and using the HTTP endpoint?
I tested with the default, and end up with a different error
**********************
opm install duhoobo/lua-resty-smtp
* Fetching duhoobo/lua-resty-smtp
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: failed to run command "curl -sS -i -A 'opm 0.0.5 (x86_64-linux-thread-multi, perl v5.10.1)' 'https://opm.openresty.org/api/pkg/fetch?account=duhoobo&name=lua-resty-smtp&op=&version='"
*********************************
After a bit of research, it seemed like pointing to my company cert bundle might help, like
export SSL_CERT_FILE=/path/to/tls-ca-bundle.pem
but that didn't change the error.
What am I missing here?
Thanks
Erik
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Robert Paprocki
Aug 11, 2020, 5:07:45 PM8/11/20
to openre...@googlegroups.com
Looks like OPM uses a Let's Encrypt certificate:
$ echo 'q' | openssl s_client -connect opm.openresty.org:443 -servername opm.openresty.org 2>&1 | openssl x509 -text | grep Issuer
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
You need to ensure your trusted CA bundle includes the LE chain. They have more documentation at https://letsencrypt.org/certificates/
--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openresty-en/1cf2e9cc14a842aeb0959e25b0ee605f%40bofa.com.
Nelson, Erik - 2
Aug 11, 2020, 5:22:13 PM8/11/20
to openre...@googlegroups.com
Hmm… looks like by CA bundle does not include LE. Is there a workaround? Does the HTTP endpoint really no longer work?
To view this discussion on the web visit https://groups.google.com/d/msgid/openresty-en/CAEuShZeKofYHr0w2yprBxtUffd_uWJVFBAmO8jeySrH%3DO6spUA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages