Opened 4 years ago

Closed 4 years ago

Last modified 12 months ago

#62596 closed defect (worksforme)

aom @3.0.0: Failed to fetch aom: Git clone failed -- self signed certificate in certificate chain

Reported by: RobK88 Owned by: MarcusCalhoun-Lopez (Marcus Calhoun-Lopez)
Priority: Normal Milestone:
Component: ports Version: 2.6.4
Keywords: lion Cc:
Port: aom

Description (last modified by RobK88)

I am unable to upgrade aom on my Mac running Lion. Looks like a SSL certificate problem.

sudo port -v upgrade outdated
--->  Computing dependencies for aom.
--->  Fetching distfiles for aom
Cloning into '/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_multimedia_aom/aom/work/aom-3.0.0'...
fatal: unable to access 'https://aomedia.googlesource.com/aom.git/': SSL certificate problem: self signed certificate in certificate chain
Command failed: /opt/local/bin/git clone --progress https://aomedia.googlesource.com/aom.git /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_multimedia_aom/aom/work/aom-3.0.0 2>&1
Exit code: 128
Error: Failed to fetch aom: Git clone failed
Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_multimedia_aom/aom/main.log for details.
Error: Problem while installing aom
Error: Follow https://guide.macports.org/#project.tickets to report a bug.

Change History (11)

comment:1 Changed 4 years ago by RobK88

Description: modified (diff)

comment:2 Changed 4 years ago by RobK88

Summary: aom - Failed to fetch aom: Git clone failedaom - Failed to fetch aom: Git clone failed -- self signed certificate in certificate chain

comment:3 Changed 4 years ago by mf2k (Frank Schima)

Cc: mcalhoun@… removed
Owner: set to MarcusCalhoun-Lopez
Status: newassigned

comment:4 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)

Keywords: lion added; Lion removed
Summary: aom - Failed to fetch aom: Git clone failed -- self signed certificate in certificate chainaom @3.0.0: Failed to fetch aom: Git clone failed -- self signed certificate in certificate chain

comment:5 Changed 4 years ago by MarcusCalhoun-Lopez (Marcus Calhoun-Lopez)

I am afraid I do not know how to proceed with this ticket.
I cannot reproduce the problem, and I am far from an expert on Git.
You might have more luck asking on the MacPorts mailing list.

comment:6 Changed 4 years ago by RobK88

I do not think it is a git issue.

I can clone aom using git on the command line.

$ git clone https://aomedia.googlesource.com/aom.git
Cloning into 'aom'...
remote: Finding sources: 100% (43/43)
remote: Total 233843 (delta 186494), reused 233818 (delta 186494)
Receiving objects: 100% (233843/233843), 295.25 MiB | 3.89 MiB/s, done.
Resolving deltas: 100% (186494/186494), done.

But for some reason Macports cannot use git to clone the repo.

Last edited 4 years ago by RobK88 (previous) (diff)

comment:7 Changed 4 years ago by RobK88

I found the problem and a workaround for now.

The problem with Macs running an old OS, like Lion, is the lack of SSL 1.2 support. So I installed an SSL proxy server using squid.

See ​https://forums.macrumors.com/threads/fixing-https-issues-on-old-versions-of-os-x.2281326/

To make the SSL proxy server work, I need to use a self signed cert. Until now, I forgot all about this self signed cert! Sorry.

When I disable the SSL Proxy server, Macports can use git to clone the aom repo and install the port. So the workaround for now is to disable the SSL Proxy server.

P.S. Here is the strange part. When the SSL proxy server is enabled, I can use git on the command line to clone the aom repo!

$ git clone https://aomedia.googlesource.com/aom.git
Cloning into 'aom'...
remote: Finding sources: 100% (43/43)
remote: Total 233843 (delta 186494), reused 233818 (delta 186494)
Receiving objects: 100% (233843/233843), 295.25 MiB | 3.89 MiB/s, done.
Resolving deltas: 100% (186494/186494), done.

The "git clone" only fails when Macports tries to clone the repo with the SSL proxy server enabled. Strange.

If you know of a better solution that disabling the SSL Proxy, please let me know.

Eventually, Macports will need to use a SSL proxy server to enable SSL 1.2 to download files on older Macs.

Last edited 4 years ago by RobK88 (previous) (diff)

comment:8 Changed 4 years ago by MarcusCalhoun-Lopez (Marcus Calhoun-Lopez)

Thank you for the information.
I am sure it will prove useful in the future.

Since you found a workaround and git clone works on a "vanilla" system, may I close this ticket?

Last edited 4 years ago by MarcusCalhoun-Lopez (Marcus Calhoun-Lopez) (previous) (diff)

comment:9 Changed 4 years ago by RobK88

Yes Marcus go ahead and close the ticket.

P.S. For those reading this ticket in the future, I have a self signed cert used for my SSL Proxy server stored in Apple's keychain. It is set as trusted for all users.

As a result, "git clone" works fine on the command line. But for some reason Macports does not like the self signed cert. The workaround is simply to disable the SSL proxy and run Macports. Once you are finished, enable the SSL Proxy server again. Not a great workaround.

I did not try to add the self signed cert to the git cert store since I do not think that the issue is with git. And I do not even know if git uses its own cert store on the Mac platform. I could not find it! "git config --list --show-origin" returns nothing.

See https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows

https://stackoverflow.com/questions/23807313/adding-self-signed-ssl-certificate-without-disabling-authority-signed-ones

http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/

comment:10 Changed 4 years ago by MarcusCalhoun-Lopez (Marcus Calhoun-Lopez)

Resolution: worksforme
Status: assignedclosed

comment:11 Changed 12 months ago by COOLak

Sorry for raising this old ticket, but how do I even disable my SSL proxy? I'm a complete noob and have no idea how to do it. I have the same problem and can't install Zenity because of it.

Last edited 12 months ago by COOLak (previous) (diff)
Note: See TracTickets for help on using tickets.