Homebrew Cask download failure. SSL certificate problem: certificate has expired
I am trying to install NetLogo via Homebrew Cask. I run the following command:
brew cask install netlogo
Homebrew starts the download but immediately throws the following error:
==> Downloading https://ccl.northwestern.edu/netlogo/6.1.1/NetLogo-6.1.1.dmg
#=#=-# #
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Error: Download failed on Cask 'netlogo' with message: Download failed: https://ccl.northwestern.edu/netlogo/6.1.1/NetLogo-6.1.1.dmg
I am understanding that it is happening due to expired certificate on the website hosting NetLogo installer.
Is there a way to work around this issue? For example is there an argument that could be passed to brew
command to make it ignore the error? or provide a resolution? or can I manually download the DMG and place it in the Homebrew cache directory so that Homebrew skips downloading when running the install command?
Solution 1:
This is documented here, see also https://curl.haxx.se/mail/lib-2020-06/0010.html and https://security.stackexchange.com/questions/232445/https-connection-to-specific-sites-fail-with-curl-on-macos.
The proposed solution is to set HOMEBREW_FORCE_BREWED_CURL
HOMEBREW_FORCE_BREWED_CURL=1 brew cask install netlogo
If you run Catalina you can use
export CURL_SSL_BACKEND=secure-transport
to have curl
not use LibreSSL (which seems to have the issue).
You can also remove the entry for AddTrust
from /etc/ssl/cert.pem
(it's the first entry in the file, just remove all which expired end of May 2020).
Solution 2:
For people that don't have a brewed installed curl
, the accepted answer is not sufficient because it's impossible to install the homebrew curl
with invalid certificates (since brew install
uses the system curl
when the homebrew curl
is not available). One way to get around this is to pass the --insecure
flag to the system curl
when installing the homebrew curl
, through the ~/.curlrc
file. However, one needs to define the HOMEBREW_CURLRC=1
environment variable prior to this:
edit or create ~/.curlrc file and add "--insecure" to it then:
$ HOMEBREW_CURLRC=1 brew install curl
delete ~/.curlrc file or remove the "--insecure" from it
$ [HOMEBREW_FORCE_BREWED_CURL=1 if needed] brew install whatever
Source
Solution 3:
When I access the URL from here, the SSL certificate is not expired. I would suggest to retry the command now to see if it works.
If you still get the same error, I would check the date & time settings on your computer - they might be incorrect.
If they're correct, I would suggest manually installing the program. The Cask code for this specific app is very simple, so you can easily do it manually.
Simply open this URL in a browser:
https://ccl.northwestern.edu/netlogo/6.1.1/
Download the DMG file for macOS. Double-click the DMG to open it, and install like any other application.
UPDATE: Given the comment below that the question was not asked for the purpose of getting NetLogo installed, but rather to understand why the problem occurs and how to resolve it properly:
When you look closer at the TLS communication with the download server (ccl.northwestern.edu), we see that the problem is actually with the bundled intermediate certificates. I.e. the actual certificate for ccl.northwestern.edu is OK and not expired, however the server replies with a number of intermediates and CA certificates that are expired (in particular the "USERTrust RSA Certification Authority" and "AddTrust Extdernal CA Root" certificates).
When you access the site in Safari, you do not get an error, as it uses macOS' built-in certificate store. In Keychain you can validate that macOS by default has an up to date and non-expired CA certificate for "USERTrust RSA Certification Authority". Therefore you do not get any errors here.
However when you use brew-cask
, the file is downloaded using curl
- and curl
does not access the same trust store. If you try to download the file manually on the command line using curl -O
you'll get the same error.
The client-side fix for the curl
command line is to set CURL_CA_BUNDLE
environment to point to a text file that has the updated intermediates. I've tested that and you can then download without warnings.
However brew-cask
does not seem to relay that environment variable on to curl
, nor does it seem to respect a cacert
line in ~/.curlrc.
The optimal way to resolve this problem is to fix the server. Update the intermediate certificate bundle associated with the web site on the server, and the problem will go away.