5

I've been trying to get CA Certs installed because I'm getting errors when trying to use rosdep init which makes calls to "raw.githubusercontent.com". If I do the same call with wget I'll get the same error:

ERROR: cannot verify raw.githubusercontent.com's certificate, issued by ‘CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.

I have installed ca-certificates. I also tried this on a fresh install and everything worked fine. However, I cannot reinstall on the machine I am on at the moment, is there a way to resolve this some other way?

Joel Holmes
  • 171

2 Answers2

2

I don't have any experience with rosdep but can you try to update your certificates with;

sudo update-ca-certificates -f

If that doesn't work and you sure rosdep is using wget can you try to add this line to your ~/.wgetrc

check_certificate = off

It should ignore certificate errors afterwards. It can be GitHub issue so can't comment on that. I can wget files from raw.githubusercontent.com without any issues tho.

Alca
  • 190
  • 1
    While this solves my wget issue it does not solve the overall problem with certificates.
    1. rosdep does not appear to use wget
    2. It is still a security concern to have the cert not verified for all wget calls

    I was hoping to find a broader solution and was using wget as an example.

     – Joel Holmes Aug 09 '21 at 20:26
  • I can't repro your issue. I can sudo rosdep init also can update rosdep. Which ca-certificates version is installed on your system? – Alca Aug 09 '21 at 20:42
  • Version: 20210119~20.04.1``` – Joel Holmes Aug 09 '21 at 21:04
  • Hmm seems you are using up to date version. Have you tried reinstalling ca-certificates? If not can you try reinstalling with sudo apt-get install --reinstall ca-certificates, after that can you confirm DigiCert certificates are located in /etc/ssl/certs. Here is a output from my system: https://pastebin.ubuntu.com/p/jcCG29xt6w/ – Alca Aug 09 '21 at 21:11
  • Yes I've tried that as well and see multiple certs with DigiCert in the directory. 
    DigiCert_Assured_ID_Root_CA.pem
DigiCert_Assured_ID_Root_G2.pem
DigiCert_Assured_ID_Root_G3.pem
DigiCert_Global_Root_CA.pem
DigiCert_Global_Root_G2.pem
DigiCert_Global_Root_G3.pem
DigiCert_High_Assurance_EV_Root_CA.pem
DigiCert_Trusted_Root_G4.pem
    – Joel Holmes Aug 09 '21 at 22:24
  • 1
    Can you try to wget with --ca-directory=/etc/ssl/certs param? – Alca Aug 09 '21 at 22:29
  • 1
    Great! So that worked. Now is there a env setting that I have wrong that other services aren't looking there for certs? – Joel Holmes Aug 09 '21 at 23:21
  • Afaik there is no env var for that. update-ca-certificates --fresh should do the trick. You can try adding ca_directory=/etc/ssl/certs to your wgetrc in your home dir as well as in /etc/wgetrc. Maybe some app you've installed before broke something can you check it? – Alca Aug 09 '21 at 23:48
2

In the end adding this env var to my ~.bashrc file made the ROS calls work:

export SSL_CERT_DIR=/etc/ssl/certs
Joel Holmes
  • 171