"curl -Lv https://git.io/getLatestIstio | ISTIO_VERSION=1.2.1 sh -" reports "curl: (60) Peer's Certificate issuer is not recognized."

Hello,

We are currently observing:

$ curl -Lv https://git.io/getLatestIstio | ISTIO_VERSION=1.2.1 sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to git.io port 443 (#0)
*   Trying ::ffff:146.112.43.5...
* Connected to git.io (::ffff:146.112.43.5) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=git.io,O="Cisco Systems, Inc.",L=San Francisco,ST=California,C=US
*       start date: Nov 30 21:03:59 2019 GMT
*       expire date: Dec 05 21:03:59 2019 GMT
*       common name: git.io
*       issuer: CN=Cisco Umbrella Secondary SubCA ash-SG,O=Cisco
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

when attempting to fetch version 1.2.1 of istio from git.io, above. This began failing some time this afternoon, over an hour ago at this point.

I just tried to run the command (for my Mac) and it was successful. I’m not sure if there was a momentary glitch earlier. I do know I had some pages failing to load on istio.io.

Hello @ericvn,

We’re still observing failure from getLatestIstio unless we disable certificate verification. However, it looks like the link shortener URL changed from:
https://git.io/getLatestIstio

to:
https://istio.io/downloadIstio

with the latest version of Istio. I’m not sure where on the Istio website the change might be documented. The current URL is documented here:

So, for us, this problem is resolved.

I’m glad you got things working. I do know some of the link shorteners changed. I believe the issue with the git.io was that we couldn’t update the destination URL. Moving to istio.io we can update the destination if we need to.

1 Like

@ericvn,

Thanks for following up with us!