ca-bundle.crt is not readable" on Ubuntu 16.04 #378

New issue

Closed

opened 2026-03-04 01:44:57 +03:00 by kerem · 3 comments

kerem commented

2026-03-04 01:44:57 +03:00

Owner

Originally created by @wheelerlaw on GitHub (Oct 31, 2017).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/665

Additional Information

The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all.

Version of s3fs being used (s3fs --version)
Amazon Simple Storage Service File System V1.79(commit:unknown) with GnuTLS(gcrypt)
Version of fuse being used (pkg-config --modversion fuse)
2.9.4-1ubuntu3.1
System information (uname -a)
Linux DEV-M-234SW 4.10.0-37-generic #41~16.04.1-Ubuntu SMP Fri Oct 6 22:42:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Distro (cat /etc/issue)
Ubuntu 16.04.3 LTS \n \l
s3fs command line used (if applicable)

sudo s3fs wlaw ecs-wlaw -o url="https://namespace.ecs-hostname:9021/" -o use_path_request_style -o dbglevel=debug -f

/etc/fstab entry (if applicable):
none
s3fs syslog messages (grep s3fs /var/log/syslog, or s3fs outputs)
if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages

[CRT] set_s3fs_log_level(250): change debug level from [CRT] to [DBG] 
[INF]     set_moutpoint_attribute(4088): PROC(uid=0, gid=0) - MountPoint(uid=1001, gid=1001, mode=40775)
[CRT] s3fs_init(3294): init v1.79(commit:unknown) with GnuTLS(gcrypt)
[INF] s3fs_check_service(3650): check services.
[INF]       CheckBucket(2637): check a bucket.
[INF]       prepare_url(4085): URL is https://selfserve.objlab.paychex.com:9021/wlaw/
[INF]       prepare_url(4117): URL changed is https://selfserve.objlab.paychex.com:9021/wlaw/
[INF]       insertV4Headers(2069): computing signature [GET] [/] [] []
[INF]       url_to_host(99): url is https://selfserve.objlab.paychex.com:9021
[DBG] RequestPerform(1726): connecting to URL https://selfserve.objlab.paychex.com:9021/wlaw/
[ERR] RequestPerform(1828): ### CURLE_SSL_CACERT
[ERR] LocateBundle(614): s3fs: /etc/pki/tls/certs/ca-bundle.crt is not readable
[CRT] RequestPerform(1834): could not get CURL_CA_BUNDLE.

Details about issue

s3fs can't find the ca-bundle.crt on Ubuntu 16.04 after a fresh installation of the package using apt-get. This this issue suggests that the ca-bundle is located elsewhere. I haven't tried created a symbolic link or building s3fs from source yet.

Originally created by @wheelerlaw on GitHub (Oct 31, 2017). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/665 #### Additional Information _The following information is very important in order to help us to help you. Omission of the following details may delay your support request or receive no attention at all._ - Version of s3fs being used (s3fs --version) `Amazon Simple Storage Service File System V1.79(commit:unknown) with GnuTLS(gcrypt)` - Version of fuse being used (pkg-config --modversion fuse) `2.9.4-1ubuntu3.1` - System information (uname -a) `Linux DEV-M-234SW 4.10.0-37-generic #41~16.04.1-Ubuntu SMP Fri Oct 6 22:42:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux` - Distro (cat /etc/issue) `Ubuntu 16.04.3 LTS \n \l` - s3fs command line used (if applicable) ``` sudo s3fs wlaw ecs-wlaw -o url="https://namespace.ecs-hostname:9021/" -o use_path_request_style -o dbglevel=debug -f ``` - /etc/fstab entry (if applicable): `none` - s3fs syslog messages (grep s3fs /var/log/syslog, or s3fs outputs) _if you execute s3fs with dbglevel, curldbg option, you can get detail debug messages_ ``` [CRT] set_s3fs_log_level(250): change debug level from [CRT] to [DBG] [INF] set_moutpoint_attribute(4088): PROC(uid=0, gid=0) - MountPoint(uid=1001, gid=1001, mode=40775) [CRT] s3fs_init(3294): init v1.79(commit:unknown) with GnuTLS(gcrypt) [INF] s3fs_check_service(3650): check services. [INF] CheckBucket(2637): check a bucket. [INF] prepare_url(4085): URL is https://selfserve.objlab.paychex.com:9021/wlaw/ [INF] prepare_url(4117): URL changed is https://selfserve.objlab.paychex.com:9021/wlaw/ [INF] insertV4Headers(2069): computing signature [GET] [/] [] [] [INF] url_to_host(99): url is https://selfserve.objlab.paychex.com:9021 [DBG] RequestPerform(1726): connecting to URL https://selfserve.objlab.paychex.com:9021/wlaw/ [ERR] RequestPerform(1828): ### CURLE_SSL_CACERT [ERR] LocateBundle(614): s3fs: /etc/pki/tls/certs/ca-bundle.crt is not readable [CRT] RequestPerform(1834): could not get CURL_CA_BUNDLE. ``` #### Details about issue `s3fs` can't find the `ca-bundle.crt` on Ubuntu 16.04 after a fresh installation of the package using apt-get. [This](https://askubuntu.com/questions/342484/etc-pki-tls-certs-ca-bundle-crt-not-found) this issue suggests that the `ca-bundle` is located elsewhere. I haven't tried created a symbolic link or building s3fs from source yet.

kerem

2026-03-04 01:44:57 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-04 01:44:57 +03:00

Author

Owner

@wheelerlaw commented on GitHub (Oct 31, 2017):

Looks like an issue in LocateBundle(curl.cpp:689). Comment states that it will look in various places, but it actually only looks in one that is specific to Redhat (/etc/pki/tls/certs/ca-bundle.crt). Not sure though.

@wheelerlaw commented on GitHub (Oct 31, 2017): Looks like an issue in [LocateBundle(curl.cpp:689)](https://github.com/s3fs-fuse/s3fs-fuse/blob/master/src/curl.cpp#L689). Comment states that it will look in various places, but it actually only looks in one that is specific to Redhat (`/etc/pki/tls/certs/ca-bundle.crt`). Not sure though.

kerem commented

2026-03-04 01:44:58 +03:00

Author

Owner

@wheelerlaw commented on GitHub (Oct 31, 2017):

Running export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt allowed me to connect to the ECS instance. But s3fs should really be looking for the CA bundle in different places based on the distro.

@wheelerlaw commented on GitHub (Oct 31, 2017): Running `export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt` allowed me to connect to the ECS instance. But `s3fs` should really be looking for the CA bundle in different places based on the distro.

kerem commented

2026-03-04 01:44:58 +03:00

Author

Owner

@ggtakec commented on GitHub (Nov 5, 2017):

@wheelerlaw Thanks a report.
I changed the logic of S3fsCurl :: LocateBundle for fixing this by #670.

Originally, it searches libcurl for the CA file path corresponding to each OS, but if it still becomes the error CURLE_SSL_CACERT, it should have done the operation to set the environment variable.
This process was corrected because there was a problem, another value was to be set again after the CA path of the environment variable was set.

Now, fixed it, please try to test latest codes,
I'm closing this issue, but if you have a problem, please reopen this issue.

Thanks in advance for your assistance.

@ggtakec commented on GitHub (Nov 5, 2017): @wheelerlaw Thanks a report. I changed the logic of S3fsCurl :: LocateBundle for fixing this by #670. Originally, it searches libcurl for the CA file path corresponding to each OS, but if it still becomes the error CURLE_SSL_CACERT, it should have done the operation to set the environment variable. This process was corrected because there was a problem, another value was to be set again after the CA path of the environment variable was set. Now, fixed it, please try to test latest codes, I'm closing this issue, but if you have a problem, please reopen this issue. Thanks in advance for your assistance.