Self-signed certificate verify fails when using HTTP::Tinyish's HTTPTiny backend

[bogdanpop95]

Hi, running into the problem of cpm failing to install distributions using HTTP::Tinyish's HTTPTiny backend when using self-signed certificate:
Output log when running:
cpm install -v -g --show-build-log-on-failure IO::Socket::SSL
2024-05-14T11:27:25,15225,IO::Socket::SSL| MetaCPAN, 599 Internal Exception, https://fastapi.metacpan.org/v1/download_url/IO::Socket::SSL, SSL connection failed for fastapi.metacpan.org: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2024-05-14T11:27:25,15225,IO::Socket::SSL| Failed to resolve IO::Socket::SSL

I know cpm is not the cause of this problem as self-signed certificate worked for me before, but maybe it helps someone else who bumps into this.
As a workaround, I used the self-contained FatPacker version, where one could modify the backend list content or order in App::cpm::HTTP.

Context:

• cpm version 0.997017
• perl version 5.30.3 on docker image ubuntu:18.04 (sha256:dca176c9663a7ba4c1f0e710986f5a25e672842963d95b960191e2d9f7185ebe) built with perl-build version 1.31
• OpenSSL 1.1.1

[skaji]

• Does apt-get update && apt-get install ca-certificates libssl1.1 libssl-dev solve your problem?
• Can you provide a Dockerfile that reproduces your problem?

[bogdanpop95]

Hi, sorry for the late reply, but finally found a way to replicate this on-demand.

Dockerfile:

FROM ubuntu:18.04

ARG PATH_TO_SELF_SIGNED_CERT_INSIDE_BUILD_CONTEXT

COPY ${PATH_TO_SELF_SIGNED_CERT_INSIDE_BUILD_CONTEXT} /usr/local/share/ca-certificates/self-signed.crt

RUN export DEBIAN_FRONTEND=noninteractive && \
    apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y \
        apt-transport-https \
        build-essential \
        curl \
        zip \
        unzip \
        locales \
        libssl1.1 \
        libssl-dev \
        zlib1g-dev \
        tzdata \
        perl \
        cpanminus && \
    update-ca-certificates && \
    locale-gen en_US.UTF-8 && \
    apt-get autoremove && \
    apt-get clean && \
    cpanm -n App::cpm && \
    rm -rf /var/lib/apt/lists/* ~/.cpanm

Steps to reproduce:
1. cpm should work with any distribution now (try avoiding indirect installing of IO::Socket::SSL)
cpm install -v -g --show-build-log-on-failure Moose
2. Now install the latest IO::Socket::SSL distribution
cpm install -v -g --show-build-log-on-failure IO::Socket::SSL
perl -MIO::Socket::SSL -e 'print "$IO::Socket::SSL::VERSION\n"' => 2.085
perl -MNet::SSLeay -e 'print "$Net::SSLeay::VERSION\n"' => 1.94
3. Installing any distribution from now on using cpm will fail:
e.g. cpm install -v -g --show-build-log-on-failure MooseX::Singleton
4. Installing with cpanm still works:
e.g. cpanm MooseX::Singleton

Context:

cpm --version
cpm 0.997017 (/usr/local/bin/cpm)
perl version v5.26.1 (/usr/bin/perl)

  %Config:
    archname=x86_64-linux-gnu-thread-multi
    installsitelib=/usr/local/share/perl/5.26.1
    installsitebin=/usr/local/bin
    installman1dir=/usr/share/man/man1
    installman3dir=/usr/share/man/man3
    sitearchexp=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1
    sitelibexp=/usr/local/share/perl/5.26.1
    vendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26
    vendorlibexp=/usr/share/perl5
    archlibexp=/usr/lib/x86_64-linux-gnu/perl/5.26
    privlibexp=/usr/share/perl/5.26
  %ENV:
  @INC:
    /etc/perl
    /usr/local/lib/x86_64-linux-gnu/perl/5.26.1
    /usr/local/share/perl/5.26.1
    /usr/lib/x86_64-linux-gnu/perl5/5.26
    /usr/share/perl5
    /usr/lib/x86_64-linux-gnu/perl/5.26
    /usr/share/perl/5.26
    /usr/local/lib/site_perl
    /usr/lib/x86_64-linux-gnu/perl-base