SSL cert error when installing QIime 2

Developer Discussion
1

Good morning,

I'm working with a new lab member to install Qiime 2, and just got this error.

(base) [anderson@hhmi ~]$ wget https://data.qiime2.org/distro/core/qiime2-2019.7-py36-linux-conda.yml
--2019-09-27 14:08:53--  https://data.qiime2.org/distro/core/qiime2-2019.7-py36-linux-conda.yml
Resolving data.qiime2.org... 52.35.38.247
Connecting to data.qiime2.org|52.35.38.247|:443... connected.
HTTP request sent, awaiting response... 302 FOUND
Location: https://raw.githubusercontent.com/qiime2/environment-files/master/2019.7/release/qiime2-2019.7-py36-linux-conda.yml [following]
--2019-09-27 14:08:53--  https://raw.githubusercontent.com/qiime2/environment-files/master/2019.7/release/qiime2-2019.7-py36-linux-conda.yml
Resolving raw.githubusercontent.com... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com|151.101.0.133|:443... connected.
ERROR: certificate common name “www.github.com” doesn’t match requested host name “raw.githubusercontent.com”.
To connect to raw.githubusercontent.com insecurely, use ‘--no-check-certificate’.

This was confusing for the new user.

The guidance posted on the page
If you encounter this error with wget:
assumes you have and know how to use to use an sFTP transfer client.

What can we do to make this install more consistent? Could we replace the recommendation with,

If you encounter an error with wget, try running
wget https://data.qiime2.org/distro/core/qiime2-2019.7-py36-linux-conda.yml --no-check-certificate

Or maybe we could change the URL so that the SSL cert does match?

Colin

2

You're referring to to this message? Natively installing QIIME 2 — QIIME 2 2019.7.0 documentation

image
image800×196 16.4 KB

This message doesn't recommend FTP or SFTP, not sure where you're getting that from. The instructions presented there indicate that you should click the link in your browser and download.

The error is caused by the user having expired root certs on their machine, usually because wget is very old --- it is not caused by a certificate mismatch that we have any control over. As a general note, this error usually comes up when someone skips the first install step of conda install wget.

1 Like
3

Also, this is a very dangerous recommendation --- SSL certificates exist to protect people --- disabling the check could be problematic.

3 Likes
4

I think we may not have installed a new version of wget using conda… like it says to do on that page.

Sorry for my whining over here. I should have tested more before posting. :man_facepalming:

2 Likes
5

Thanks for reporting, @colinbrislawn! :heavy_heart_exclamation: