Homebrew Cask download failure. SSL certificate problem: certificate has expired

command-line homebrew ssl

I am trying to install NetLogo via Homebrew Cask. I run the following command:

brew cask install netlogo

Homebrew starts the download but immediately throws the following error:

==> Downloading https://ccl.northwestern.edu/netlogo/6.1.1/NetLogo-6.1.1.dmg
#=#=-#  #                                                                     
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Error: Download failed on Cask 'netlogo' with message: Download failed: https://ccl.northwestern.edu/netlogo/6.1.1/NetLogo-6.1.1.dmg

I am understanding that it is happening due to expired certificate on the website hosting NetLogo installer.

Is there a way to work around this issue? For example is there an argument that could be passed to brew command to make it ignore the error? or provide a resolution? or can I manually download the DMG and place it in the Homebrew cache directory so that Homebrew skips downloading when running the install command?


Solution 1:

This is documented here, see also https://curl.haxx.se/mail/lib-2020-06/0010.html and https://security.stackexchange.com/questions/232445/https-connection-to-specific-sites-fail-with-curl-on-macos.

The proposed solution is to set HOMEBREW_FORCE_BREWED_CURL

HOMEBREW_FORCE_BREWED_CURL=1 brew cask install netlogo

If you run Catalina you can use

export CURL_SSL_BACKEND=secure-transport

to have curl not use LibreSSL (which seems to have the issue).

You can also remove the entry for AddTrust from /etc/ssl/cert.pem (it's the first entry in the file, just remove all which expired end of May 2020).

Solution 2:

For people that don't have a brewed installed curl, the accepted answer is not sufficient because it's impossible to install the homebrew curl with invalid certificates (since brew install uses the system curl when the homebrew curl is not available). One way to get around this is to pass the --insecure flag to the system curl when installing the homebrew curl, through the ~/.curlrc file. However, one needs to define the HOMEBREW_CURLRC=1 environment variable prior to this:

edit or create ~/.curlrc file and add "--insecure" to it then:
$ HOMEBREW_CURLRC=1 brew install curl
delete ~/.curlrc file or remove the "--insecure" from it
$ [HOMEBREW_FORCE_BREWED_CURL=1 if needed] brew install whatever

Source

Solution 3:

When I access the URL from here, the SSL certificate is not expired. I would suggest to retry the command now to see if it works.

If you still get the same error, I would check the date & time settings on your computer - they might be incorrect.

If they're correct, I would suggest manually installing the program. The Cask code for this specific app is very simple, so you can easily do it manually.

Simply open this URL in a browser:

https://ccl.northwestern.edu/netlogo/6.1.1/

Download the DMG file for macOS. Double-click the DMG to open it, and install like any other application.

UPDATE: Given the comment below that the question was not asked for the purpose of getting NetLogo installed, but rather to understand why the problem occurs and how to resolve it properly:

When you look closer at the TLS communication with the download server (ccl.northwestern.edu), we see that the problem is actually with the bundled intermediate certificates. I.e. the actual certificate for ccl.northwestern.edu is OK and not expired, however the server replies with a number of intermediates and CA certificates that are expired (in particular the "USERTrust RSA Certification Authority" and "AddTrust Extdernal CA Root" certificates).

When you access the site in Safari, you do not get an error, as it uses macOS' built-in certificate store. In Keychain you can validate that macOS by default has an up to date and non-expired CA certificate for "USERTrust RSA Certification Authority". Therefore you do not get any errors here.

However when you use brew-cask, the file is downloaded using curl - and curl does not access the same trust store. If you try to download the file manually on the command line using curl -O you'll get the same error.

The client-side fix for the curl command line is to set CURL_CA_BUNDLE environment to point to a text file that has the updated intermediates. I've tested that and you can then download without warnings.

However brew-cask does not seem to relay that environment variable on to curl, nor does it seem to respect a cacert line in ~/.curlrc.

The optimal way to resolve this problem is to fix the server. Update the intermediate certificate bundle associated with the web site on the server, and the problem will go away.

Related

In terminal, modify the text that comes before $
Is there a way to install and use PowerPC applications on Intel Macs?
How can I add missing avatar/profile pictures in Messages?
How to type this tilde ~ in Mac (I can only type ˜ Using Fn + N) on an Italian Mac?
Can I share my iMac's internet connection via ethernet
How do I get magnet links to work with Deluge?
Is there any app to always display time in touch bar?
Someone in China tried to log into my AppleID account. What should I do?
Open /dev in Finder
macOS: Disconnect Wi-Fi without turning it off
Can I get my iPhone to see the "Other Calendars" from Google Apps for domains Calendars?
Is there a widget for Mac OS X dashboard that has bigger sticky notes?