On Dec 5, 2019, at 09:02, René J.V. Bertin wrote:
> Any suggestions how I can work around this kind of error (on OSX 10.9.8)?
>
> {{{
> ---> Attempting to fetch kcontacts-19.08.3.tar.xz from
> https://download.kde.org/stable/applications/19.08.3/src
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
> Warning: Fetching distfile failed: SSL certificate problem: Invalid
> certificate chain
> }}}
>
> The instructions I found on stackexchange didn't work for me.
You didn't mention what instructions you're referring to or what port this is
about, but I am able to reproduce a certificate error if I try to use
/usr/bin/curl to access that URL on OS X 10.9. I guess the server imposes such
hefty encryption requirements on its clients that 10.9's bundled curl/openssl
isn't able to accommodate them. Same goes for OS X 10.10 and 10.11. The problem
disappears on macOS 10.12 and later.
You can use a different method to fetch the file (for example MacPorts curl or
Safari or another web browser) and put it in the right place on your system:
https://trac.macports.org/wiki/ProblemHotlist#fetch-failures
Or you can recompile MacPorts linked to a newer libcurl/openssl that is able to
talk to that server.
If this is a port that is in our port collection, ideally we would have already
mirrored the file on our servers, from which MacPorts would then be able to
fetch it since our server doesn't impose such strenuous encryption
requirements. Unfortunately, the mirroring currently happens on a machine
running OS X 10.11, so it would also fail to download from this server. We
should do our mirroring on a newer version of macOS, but making that change to
our server infrastructure is nontrivial.
You might want to bring this problem to the attention of whoever runs that
server. They may not realize that the restrictions they've put in place impact
OS versions as recent as OS X 10.11. They may be willing to relax their
restrictions somewhat so that older systems can still connect.
