Self-signed certificate verify fails when using HTTP::Tinyish's HTTPTiny backend
Opened this issue · 2 comments
Hi, running into the problem of cpm failing to install distributions using HTTP::Tinyish's HTTPTiny backend when using self-signed certificate:
Output log when running:
cpm install -v -g --show-build-log-on-failure IO::Socket::SSL
2024-05-14T11:27:25,15225,IO::Socket::SSL| MetaCPAN, 599 Internal Exception, https://fastapi.metacpan.org/v1/download_url/IO::Socket::SSL, SSL connection failed for fastapi.metacpan.org: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2024-05-14T11:27:25,15225,IO::Socket::SSL| Failed to resolve IO::Socket::SSL
I know cpm is not the cause of this problem as self-signed certificate worked for me before, but maybe it helps someone else who bumps into this.
As a workaround, I used the self-contained FatPacker version, where one could modify the backend list content or order in App::cpm::HTTP.
Context:
- cpm version 0.997017
- perl version 5.30.3 on docker image ubuntu:18.04 (sha256:dca176c9663a7ba4c1f0e710986f5a25e672842963d95b960191e2d9f7185ebe) built with perl-build version 1.31
- OpenSSL 1.1.1
- Does
apt-get update && apt-get install ca-certificates libssl1.1 libssl-devsolve your problem? - Can you provide a Dockerfile that reproduces your problem?
Hi, sorry for the late reply, but finally found a way to replicate this on-demand.
Dockerfile:
FROM ubuntu:18.04
ARG PATH_TO_SELF_SIGNED_CERT_INSIDE_BUILD_CONTEXT
COPY ${PATH_TO_SELF_SIGNED_CERT_INSIDE_BUILD_CONTEXT} /usr/local/share/ca-certificates/self-signed.crt
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get upgrade -y && \
apt-get install -y \
apt-transport-https \
build-essential \
curl \
zip \
unzip \
locales \
libssl1.1 \
libssl-dev \
zlib1g-dev \
tzdata \
perl \
cpanminus && \
update-ca-certificates && \
locale-gen en_US.UTF-8 && \
apt-get autoremove && \
apt-get clean && \
cpanm -n App::cpm && \
rm -rf /var/lib/apt/lists/* ~/.cpanm
Steps to reproduce:
1. cpm should work with any distribution now (try avoiding indirect installing of IO::Socket::SSL)
cpm install -v -g --show-build-log-on-failure Moose
2. Now install the latest IO::Socket::SSL distribution
cpm install -v -g --show-build-log-on-failure IO::Socket::SSL
perl -MIO::Socket::SSL -e 'print "$IO::Socket::SSL::VERSION\n"' => 2.085
perl -MNet::SSLeay -e 'print "$Net::SSLeay::VERSION\n"' => 1.94
3. Installing any distribution from now on using cpm will fail:
e.g. cpm install -v -g --show-build-log-on-failure MooseX::Singleton
4. Installing with cpanm still works:
e.g. cpanm MooseX::Singleton
Context:
cpm --version
cpm 0.997017 (/usr/local/bin/cpm)
perl version v5.26.1 (/usr/bin/perl)
%Config:
archname=x86_64-linux-gnu-thread-multi
installsitelib=/usr/local/share/perl/5.26.1
installsitebin=/usr/local/bin
installman1dir=/usr/share/man/man1
installman3dir=/usr/share/man/man3
sitearchexp=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1
sitelibexp=/usr/local/share/perl/5.26.1
vendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26
vendorlibexp=/usr/share/perl5
archlibexp=/usr/lib/x86_64-linux-gnu/perl/5.26
privlibexp=/usr/share/perl/5.26
%ENV:
@INC:
/etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.26.1
/usr/local/share/perl/5.26.1
/usr/lib/x86_64-linux-gnu/perl5/5.26
/usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl/5.26
/usr/share/perl/5.26
/usr/local/lib/site_perl
/usr/lib/x86_64-linux-gnu/perl-base