5

I've been trying to get CA Certs installed because I'm getting errors when trying to use rosdep init which makes calls to "raw.githubusercontent.com". If I do the same call with wget I'll get the same error:

ERROR: cannot verify raw.githubusercontent.com's certificate, issued by ‘CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.

I have installed ca-certificates. I also tried this on a fresh install and everything worked fine. However, I cannot reinstall on the machine I am on at the moment, is there a way to resolve this some other way?

Joel Holmes
  • 171
  • 1
  • 3

2 Answers2

2

I don't have any experience with rosdep but can you try to update your certificates with;

sudo update-ca-certificates -f

If that doesn't work and you sure rosdep is using wget can you try to add this line to your ~/.wgetrc

check_certificate = off

It should ignore certificate errors afterwards. It can be GitHub issue so can't comment on that. I can wget files from raw.githubusercontent.com without any issues tho.

Alca
  • 180
  • 7
  • 1
    While this solves my wget issue it does not solve the overall problem with certificates. 1. rosdep does not appear to use wget 2. It is still a security concern to have the cert not verified for all wget calls I was hoping to find a broader solution and was using wget as an example. – Joel Holmes Aug 09 '21 at 20:26
  • I can't repro your issue. I can `sudo rosdep init` also can `update rosdep`. Which `ca-certificates` version is installed on your system? – Alca Aug 09 '21 at 20:42
  • ```sudo dpkg -s ca-certificates | grep Version Version: 20210119~20.04.1``` – Joel Holmes Aug 09 '21 at 21:04
  • Hmm seems you are using up to date version. Have you tried reinstalling `ca-certificates`? If not can you try reinstalling with `sudo apt-get install --reinstall ca-certificates`, after that can you confirm `DigiCert` certificates are located in `/etc/ssl/certs`. Here is a output from my system: [https://pastebin.ubuntu.com/p/jcCG29xt6w/](https://pastebin.ubuntu.com/p/jcCG29xt6w/) – Alca Aug 09 '21 at 21:11
  • Yes I've tried that as well and see multiple certs with DigiCert in the directory. ```ls /etc/ssl/certs/ | grep DigiCert DigiCert_Assured_ID_Root_CA.pem DigiCert_Assured_ID_Root_G2.pem DigiCert_Assured_ID_Root_G3.pem DigiCert_Global_Root_CA.pem DigiCert_Global_Root_G2.pem DigiCert_Global_Root_G3.pem DigiCert_High_Assurance_EV_Root_CA.pem DigiCert_Trusted_Root_G4.pem ``` – Joel Holmes Aug 09 '21 at 22:24
  • 1
    Can you try to wget with `--ca-directory=/etc/ssl/certs` param? – Alca Aug 09 '21 at 22:29
  • 1
    Great! So that worked. Now is there a env setting that I have wrong that other services aren't looking there for certs? – Joel Holmes Aug 09 '21 at 23:21
  • Afaik there is no env var for that. `update-ca-certificates --fresh` should do the trick. You can try adding `ca_directory=/etc/ssl/certs` to your wgetrc in your home dir as well as in `/etc/wgetrc`. Maybe some app you've installed before broke something can you check it? – Alca Aug 09 '21 at 23:48
2

In the end adding this env var to my ~.bashrc file made the ROS calls work:

export SSL_CERT_DIR=/etc/ssl/certs
Joel Holmes
  • 171
  • 1
  • 3