[Pkg-rust-maintainers] Bug#953668: Bug#953668: cargo fails to find default X.509 certificates to validate https on powerpc

Fabian Gr├╝nbichler f.gruenbichler at proxmox.com
Thu Mar 12 10:07:08 GMT 2020

On March 12, 2020 12:06 am, Daniel Kahn Gillmor wrote:
> Package: cargo
> Version: 0.40.0-3
> Starting from an empty ~/.cargo, by default on the powerpc platform,
> cargo fails to find the right X.509 certificates to validate an https
> connection to github.com.
> But if i explicitly point at the standard CA certificates location, it
> all seems to work:
> ```
> (sid_powerpc-dchroot)dkg at perotto:~$ rm -rf .cargo
> (sid_powerpc-dchroot)dkg at perotto:~$ strace -f -o cargo-clean.strace cargo search bindgen
>     Updating crates.io index
> error: failed to update registry `https://github.com/rust-lang/crates.io-index`
> Caused by:
>   failed to fetch `https://github.com/rust-lang/crates.io-index`
> Caused by:
>   the SSL certificate is invalid: 0x08 - The certificate is not correctly signed by the trusted CA; class=Ssl (16); code=Certificate (-17)


> This might well be a bug in some dependency of cargo, of course.  feel
> free to reassign the bug report if you can narrow it down.

I am not sure whether we want to work around it in cargo (by defaulting 
to that location, for example), but this is related to


libgit2 picks up an installed ca-certificates if available in the 
build-env, but does not build-depend on it. if it was available, it sets 
the default CA certificate location accordingly (at build time), and 
cargo works. if it was not available, the certs provided by 
ca-certificates need to be passed in explicitly by any user of libgit2.

the amd64 buildds seem to have ca-certificates installed, the powerpc 
porter buildds don't. it is broken in the most recent libgit2 version as 

More information about the Pkg-rust-maintainers mailing list