Cannot install anything with brew, Error: Failed to download resource "git--html"

curl openssl ssl-certificate homebrew osx-yosemite

12,456

Solution 1

Looks like the downloader (a version of curl in this case) is not trusting the CA certificate on the https://mirrors.edge.kernel.org domain. You can try importing the CA that is presented by this webserver (Depends if you really trust the CA).

To import the certificate, you can download the certificate and then double-click on the certificate. MacOS will open it via Keychain by default and ask you if you want to import it. You can refer to the official docs for this.

wget http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

Note

How do you know from where to download the certificate if you face this issue with any other domain.

You can inspect the certificate issued by the server to get the above link. eg:

$ echo | openssl s_client -connect mirrors.edge.kernel.org:443 2>/dev/null \
  | openssl x509 -noout -text | grep "CA Issuers"

 CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

PS: I am not able to get my -ext flag to work on the libressl, thus the hacky grep.

Notice the URL. That is the location of the certificate which you will need to trust in order to trust the brew install. This URL is likely to be present in the Authority Information Access section of the certificate.

Solution 2

To anyone reading who tried both the answers here to no avail (like me), I found a workaround for the annoying curl (60) issue. Run the following:

MacBook:~ leetbacoon$ nano ~/.curlrc
Add -k on its own line (I didn't have a .curlrc file, so the entire file is just -k with a newline, of course)
Run your brew install/upgrade and it should download from mirrors.edge.kernel.org or any other sites with SSL certificate issues

curl, by default, reads from ~/.curlrc as a config file. -k instructs curl to ignore SSL certificate problems, which is what we want in this case. I advise removing -k from your config file afterwards.

My setup is using El Capitan 10.11.6 / Homebrew 2.5.2 / ruby 2.0.0p648 but do not have rvm. Coincidentally, I was also trying to install git and ran into this issue.

12,456

Author by

Alex Reed

Updated on June 23, 2022

Comments

Alex Reed almost 2 years

Whenever I try and run brew install <app>, such as brew install git, i get the following error:

$ brew install git
Updating Homebrew...
Warning: You are using macOS 10.10.
We (and Apple) do not provide support for this old version.
You will encounter build failures with some formulae.
Please create pull requests instead of asking for help on Homebrew's GitHub,
Discourse, Twitter or IRC. You are responsible for resolving any issues you
experience while you are running this old version.

==> Downloading https://ftp.gnu.org/gnu/gettext/gettext-0.21.tar.xz
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/fbd8967fd8256b2e1856b74e8ff0f3d8371cb652c5768e47649613a69d4dc841--gettext-0.21.tar.xz
==> Downloading https://ftp.pcre.org/pub/pcre/pcre2-10.35.tar.bz2
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/48997c77a7dae2fb85d52234e92e9032019609e091e23d72529d1e552978a260--pcre2-10.35.tar.bz2
==> Downloading https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldoc

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz
Warning: You are using macOS 10.10.
We (and Apple) do not provide support for this old version.
You will encounter build failures with some formulae.
Please create pull requests instead of asking for help on Homebrew's GitHub,
Discourse, Twitter or IRC. You are responsible for resolving any issues you
experience while you are running this old version.

==> Downloading https://ftp.gnu.org/gnu/gettext/gettext-0.21.tar.xz
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/fbd8967fd8256b2e1856b74e8ff0f3d8371cb652c5768e47649613a69d4dc841--gettext-0.21.tar.xz
==> Downloading https://ftp.pcre.org/pub/pcre/pcre2-10.35.tar.bz2
Already downloaded: /Users/admin/Library/Caches/Homebrew/downloads/48997c77a7dae2fb85d52234e92e9032019609e091e23d72529d1e552978a260--pcre2-10.35.tar.bz2
==> Downloading https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldoc

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz

I have tried the answers to this post and have had no luck. I also prefer not to use curl's -k or --insecure

I am using

OSX Yosemite 10.10.5
Homebrew 2.4.9
rvm 1.29.10
ruby 2.0.0

Update: I tried uninstalling and reinstalling homebrew, and on the reinstall I got this message again:

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Error: Failed to download resource "git--html"
Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htmldocs-2.28.0.tar.xz

Update 2: When I run brew doctor, I am given an unreasonably lengthy list of unexpected header files. Are these related to my problem? If so, what is the best way to go about deleting all of them?

Update 3: I ended up resorting to using curl's -k. Only trouble is that when I did it, the terminal gave me hundreds of lines of what seems to be random characters in return. Anyone knows what this is? Not sure what to do here

Update 4: Not sure if this is related, but when I try and install ruby 2.3., I get this error:

Error running '__rvm_make -j4',
please read /Users/admin/.rvm/log/1596996566_ruby-2.3.8/make.log

This is the log

Alex Reed over 3 years

what do you mean by my packages folder?
Alex Reed over 3 years

Did I do something wrong? Not getting a link: Error: Failed to download resource "git--html" Download failed: https://mirrors.edge.kernel.org/pub/software/scm/git/git-htm‌ldocs-2.28.0.tar.xz KariHeitadsiMac:~ admin$ echo | openssl s_client -connect https://mirrors.edge.kernel.org/pub/software/scm/git/git-htm‌ldocs-2.28.0.tar.xz:‌443 2>/dev/null | openssl x509 -noout -text | grep "CA Issuers" unable to load certificate 25008:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/p‌em/pem_lib.c:648:Exp‌ecting: TRUSTED CERTIFICATE
prateeknischal over 3 years

Yes, you openssl command has the complete URL.. you just need the hostname.. openssl s_client -connect mirrors.edge.kernel.org:443
bays2023 over 3 years

By package's folder, I mean the folder that homebrew puts on your disc that contains everything needed for what you downloaded.
Nathan Garabedian over 3 years

To add to this comment, after I downloaded the certificate, opened it with 'open certfile.ext' and added it to the keystore as a system certificate (assuming mac homebrew), I also had to open the certificate from within the trust store and choose "trust always". That fixed it (for me on El Capitan). No need to logout/login. Also, avoid the .curlrc answer below, although it's cool to know that exists, it would skip TLS cert chain validation which is the basis for trust.