curlopensslssl-certificatehomebrewosx-yosemite

Cannot install anything with brew, Error: Failed to download resource "git--html"


Whenever I try and run brew install <app>, such as brew install git, i get the following error:

$ brew install git
Updating Homebrew...
Warning: You are using macOS 10.10.
We (and Apple) do not provide support for this old version.
You will encounter build failures with some formulae.
Please create pull requests instead of asking for help on Homebrew's GitHub,
Discourse, Twitter or IRC. You are responsible for resolving any issues you
experience while you are running this old version.

==> Downloading https://ftp.gnu.org/gnu/gettext/gettext-0.21.tar.xz
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/fbd8967fd8256b2e1856b74e8ff0f3d8371cb652c5768e47649613a69d4dc841--gettext-0.21.tar.xz
==> Downloading https://ftp.pcre.org/pub/pcre/pcre2-10.35.tar.bz2
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/48997c77a7dae2fb85d52234e92e9032019609e091e23d72529d1e552978a260--pcre2-10.35.tar.bz2
==> Downloading https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldoc

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz
Warning: You are using macOS 10.10.
We (and Apple) do not provide support for this old version.
You will encounter build failures with some formulae.
Please create pull requests instead of asking for help on Homebrew's GitHub,
Discourse, Twitter or IRC. You are responsible for resolving any issues you
experience while you are running this old version.

==> Downloading https://ftp.gnu.org/gnu/gettext/gettext-0.21.tar.xz
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/fbd8967fd8256b2e1856b74e8ff0f3d8371cb652c5768e47649613a69d4dc841--gettext-0.21.tar.xz
==> Downloading https://ftp.pcre.org/pub/pcre/pcre2-10.35.tar.bz2
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/48997c77a7dae2fb85d52234e92e9032019609e091e23d72529d1e552978a260--pcre2-10.35.tar.bz2
==> Downloading https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldoc

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz

I have tried the answers to this post and have had no luck. I also prefer not to use curl's -k or --insecure

I am using

Update: I tried uninstalling and reinstalling homebrew, and on the reinstall I got this message again:

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz

Update 2: When I run brew doctor, I am given an unreasonably lengthy list of unexpected header files. Are these related to my problem? If so, what is the best way to go about deleting all of them?

Update 3: I ended up resorting to using curl's -k. Only trouble is that when I did it, the terminal gave me hundreds of lines of what seems to be random characters in return. Anyone knows what this is? Not sure what to do here

Update 4: Not sure if this is related, but when I try and install ruby 2.3., I get this error:

Error running '__rvm_make -j4',
please read /Users/admin/.rvm/log/1596996566_ruby-2.3.8/make.log

This is the log


Solution

  • Looks like the downloader (a version of curl in this case) is not trusting the CA certificate on the https://mirrors.edge.kernel.org domain. You can try importing the CA that is presented by this webserver (Depends if you really trust the CA).

    To import the certificate, you can download the certificate and then double-click on the certificate. MacOS will open it via Keychain by default and ask you if you want to import it. You can refer to the official docs for this.

    wget http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
    

    Note

    How do you know from where to download the certificate if you face this issue with any other domain.

    You can inspect the certificate issued by the server to get the above link. eg:

    $ echo | openssl s_client -connect mirrors.edge.kernel.org:443 2>/dev/null \
      | openssl x509 -noout -text | grep "CA Issuers"
    
     CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
    
    

    PS: I am not able to get my -ext flag to work on the libressl, thus the hacky grep.

    Notice the URL. That is the location of the certificate which you will need to trust in order to trust the brew install. This URL is likely to be present in the Authority Information Access section of the certificate.