Search code examples
curlmakefilessl-certificateistioenvoyproxy

build istio/istio 1.6.0 from master - curl: (60) SSL certificate problem

I try to build istio/istio from master use make build, according to https://github.com/istio/istio/wiki/Using-the-Code-Base . When build-script try to download istio-proxy, curl exit with error code:

...
Downloading Envoy: curl -fLSs https://github.com/istio/proxy/releases/download/1.0.2/istio-proxy-1.0.2-macos.tar.gz to /work/out/darwin_amd64/release/envoy-1.0.2
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
...

I visited https://curl.haxx.se/docs/sslcerts.html , download last version cacert.pem and put to /etc/ssl/certs/cacert.pem.

After all I could download istio-proxy-1.0.2-macos.tar.gz manually (use curl)

curl -L https://github.com/istio/proxy/releases/download/1.0.2/istio-proxy-1.0.2-macos.tar.gz --output some-output-file
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   620  100   620    0     0   1383      0 --:--:-- --:--:-- --:--:--  1383
100 7947k  100 7947k    0     0   631k      0  0:00:12  0:00:12 --:--:-- 1359k

,but error still occur during execution make build.

When use curl with -k(Allow insecure server connections when using SSL), get You are being redirected.:

<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/75322405/f13ffa80-b53b-11e8-9527-2a586cbda4ad?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200304%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20200304T111428Z&amp;X-Amz-Expires=300&amp;X-Amz-Signature=73a2788ecc120b520a6ddeb237b8bbd74a035f71e3aed8f5ee2de6f463abf3fc&amp;X-Amz-SignedHeaders=host&amp;actor_id=0&amp;response-content-disposition=attachment%3B%20filename%3Distio-proxy-1.0.2-macos.tar.gz&amp;response-content-type=application%2Foctet-stream">redirected</a>.</body></html>

OS: macOS Catalina 10.15.1

Solution

  • tmp solution => add -k option to 

    ...
if command -v curl > /dev/null; then
    if curl --version | grep Protocols  | grep https > /dev/null; then
      DOWNLOAD_COMMAND='curl -kfLSs'
      return
...

    to bin/init.sh => wherever used DOWNLOAD_COMMAND, used insecure connection.

    I know It's bad idea...