Rust installer fails with SSL error

Our build is based on Rust and was working fine for months, but today stopped to work just on initial rust installer step:

curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain stable

^D^Dinfo: downloading installer
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
rustup: command failed: downloader https://static.rust-lang.org/rustup/dist/x86_64-apple-darwin/rustup-init /var/folders/ms/xg67k5sn16xc7sdr_w3q45840000gn/T/tmp.0uihcdsY/rustup-init
Exited with code 1

Is there anything changed? How I can fix the build?

Are you on the Docker executor? If so, what parent image are you using? I expect there was an upstream change.

Have a look at the first steps in your last successful build and your first failed build - there you can see the digest of the image that was used. If this changed at that point then the upstream is probably the culprit. A quick fix is to use that hash, until you can work out what the new image is missing:

We don’t use Docker currently, it’s a Macos build actually.

The build config is:

version: 2
jobs:
  build:
    macos:
      xcode: "9.0"

    steps:
      - checkout

      - run:
          name: Install required software
          command: |
              curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable

The two curl commands you have posted are different. The second one seems to have TLS protocol specs - what happens if you adjust/remove that?

I was trying to find a working combination, but no success, both commands doesn’t work. But first command was working for months, until recent days.

What version of curl are you running? Might be worth looking at how old it is.

Also, check this search - it looks like a common TLS error rather than a CircleCI problem specifically.

It’s a standard Curl provided by CircleCI build server. Example above is an exact copy-paste of the build script, no single line before curl was modified. I think I can check which version CircleCI uses, I just though you’re employer of CircleCI.

Simple curl https://sh.rustup.rs -sSf was working for months before, but suddenly stopped to work. I googled before posting, but I was unable to find anything close to my situation. It looks more like a bug on CircleCI side, so letting company know about it.

No, just a “Regular”, it should say so next to my avatar. I am a free-tier CircleCI user.

I think a new OS X image went out recently. But, if the TLS version on the remote side is really old, then the new OS X image may have correctly deprecated it. (Just giving you ideas to look into here, I have no idea about the TLS configuration on this site in particular).

That said, you could try other things. Is wget available on this platform?

Looks like it works now?

@halfer yeah, sorry, I didn’t notice that badge.

@FelicianoTech yes, started to work suddenly.

1 Like

Cool. Tells me something was temporarily up with HTTP/TLS on either our macOS machines or on Rust’s servers. Either way, it was fixed.