# make fetch fails: git-lfs api error: x509: certificate signed by unknown authority



## PMc (May 20, 2021)

I am trying to build graphics/oidn, and `make fetch` fails:

```
==> Fetching the oidn/weights subproject with large LFS files
Downloading rt_alb.tza (3.7 MB)
Error downloading object: rt_alb.tza (182e317): Smudge error: Error downloading rt_alb.tza (182e3176e6c13edd3ac7d152f650580679fff3c6540f3b4e512e3d678d040a43): batch response: Post "https://github.com/OpenImageDenoise/oidn-weights.git/info/lfs/objects/batch": x509: certificate signed by unknown authority
```

I have analyzed the matter so far:
This port has a pre-fetch stance in the Makefile. And in addition to the normal distfiles (which do download fine) it also downloads (clones) an entire git repo in that pre-fetch step (and this does also arrive just fine). But then this git repo contains BLOBs, and therefore devel/git-lfs is used to download these, and this is what fails - the complaint "x509: certificate signed by unknown authority" is given as a "Batch response" after git-lfs sends a batch request for the required files/BLOBs.

One can reproduce it 'naked':

```
$ ( echo "version https://git-lfs.github.com/spec/v1"
> echo "oid sha256:182e3176e6c13edd3ac7d152f650580679fff3c6540f3b4e512e3d678d040a43"
> echo "size 3659912" ) | GIT_CURL_VERBOSE=1 GIT_TRACE=1 git-lfs smudge -- rt_alb.tza
19:32:36.694060 trace git-lfs: exec: git 'version'
19:32:36.735857 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' '--git-dir' '--show-toplevel'
19:32:36.806794 trace git-lfs: exec: git 'config' '-l'
19:32:36.811874 trace git-lfs: exec: git 'rev-parse' '--is-bare-repository'
19:32:36.820717 trace git-lfs: exec: git 'config' '-l' '--blob' ':.lfsconfig'
19:32:36.860008 trace git-lfs: exec: git 'config' '-l' '--blob' 'HEAD:.lfsconfig'
19:32:36.867971 trace git-lfs: Install hook: pre-push, force=false, path=/usr/ports/.git/hooks/pre-push, upgrading...
19:32:36.868520 trace git-lfs: Install hook: post-checkout, force=false, path=/usr/ports/.git/hooks/post-checkout, upgrading...
19:32:36.874355 trace git-lfs: Install hook: post-commit, force=false, path=/usr/ports/.git/hooks/post-commit, upgrading...
19:32:36.878110 trace git-lfs: filepathfilter: accepting "rt_alb.tza"
19:32:36.878257 trace git-lfs: exec: git '-c' 'filter.lfs.smudge=' '-c' 'filter.lfs.clean=' '-c' 'filter.lfs.process=' '-c' 'filter.lfs.required=false' 'rev-parse' 'HEAD' '--symbolic-full-name' 'HEAD'
Downloading rt_alb.tza (3.7 MB)
19:32:36.988728 trace git-lfs: tq: running as batched queue, batch size of 100
19:32:36.989745 trace git-lfs: tq: sending batch of size 1
19:32:36.990860 trace git-lfs: api: batch 1 files
19:32:36.992911 trace git-lfs: HTTP: POST https://git.freebsd.org/ports.git/info/lfs/objects/batch
> POST /ports.git/info/lfs/objects/batch HTTP/1.1
> Host: git.freebsd.org
> Accept: application/vnd.git-lfs+json; charset=utf-8
> Content-Length: 192
> Content-Type: application/vnd.git-lfs+json; charset=utf-8
> User-Agent: git-lfs/2.13.3 (GitHub; freebsd amd64; go 1.16.4)
>
19:32:37.850665 trace git-lfs: api error: Post "https://git.freebsd.org/ports.git/info/lfs/objects/batch": x509: certificate signed by unknown authority
version https://git-lfs.github.com/spec/v1
oid sha256:182e3176e6c13edd3ac7d152f650580679fff3c6540f3b4e512e3d678d040a43
size 3659912
Error downloading object: rt_alb.tza (182e317): Smudge error: Error downloading rt_alb.tza (182e3176e6c13edd3ac7d152f650580679fff3c6540f3b4e512e3d678d040a43): batch response: Post "https://git.freebsd.org/ports.git/info/lfs/objects/batch": x509: certificate signed by unknown authority
```

Setting `GIT_SSL_NO_VERIFY=1` solves the problem. But I would like to understand what is going wrong here.

This report here describes the same error (with a different software) - without coming to an explanation. But an interesting statement there is that the reporter experiences the problem in the office, but not at home! Which makes it somehow related to the local side of the network. And I would very much like to know what might be wrong with my network.


----------



## PMc (May 20, 2021)

This thing is weird. 
When you look closely at the logs above, you will see at the second approach I did run the `git-lfs` outside of the port's directory. So `git-lfs` did not know the port's proper repo to retrieve, and instead found our FreeBSD ports repo, as it was still within /usr/ports. Consequentially it did not connect to github.com, but to git.freebsd.org - but that yielded the same error!!

OTOH: when I use the _2021Q1_ checkout, it all works with no error! And there is not so much changed.


----------



## PMc (May 21, 2021)

Found that it depends on lang/go. When devel/git-lfs (2.13.1 or 2.13.3) is compiled with go 1.15.9. as of 2021Q1, it works normally. When either git-lfs version it is compiled with go 1.16.4 as of 2021Q2, it does always report `x509: certificate signed by unknown authority`.

Now, why is go controlling the certificate use of programs it compiles?


----------

