Home
Support Forums

Ways to work around SSL-caused build failures / "server certificate verification failed"

There are a couple of ways you can work around the error in our build network incident. In more detail, you’ll see logs exactly matching this during your build:

7:41:37 AM: curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
7:41:37 AM: More details here: http://curl.haxx.se/docs/sslcerts.html
7:41:37 AM: curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
7:41:37 AM:  bundle file isn't adequate, you can specify an alternate file
7:41:37 AM:  using the --cacert option.
7:41:37 AM: If this HTTPS server uses a certificate signed by a CA represented in
7:41:37 AM:  the bundle, the certificate verification probably failed due to a
7:41:37 AM:  problem with the certificate (it might be expired, or the name might
7:41:37 AM:  not match the domain name in the URL).
7:41:37 AM: If you'd like to turn off curl's verification of the certificate, use
7:41:37 AM:  the -k (or --insecure) option.

Mitigation option 1: Preferred and most futureproof is upgrading to our Focal build image, which is not affected by the problem, is our current default version, and is the most up to date version we have. More details about the new image can be found in this article:

…and migration information is in this post:

https://answers.netlify.com/t/please-read-end-of-support-for-trusty-build-image-everything-you-need-to-know

Mitigation option 2: If you cannot upgrade, or the upgrade does not work for your build pipeline, you could also try to prevent yarn usage and use npm instead. This won’t work well for some types of builds (for instance, some that use yarn explicitly during customer-configured build steps), but you can prevent our auto-installation by setting a Build Environment Variable NETLIFY_USE_YARN to false, and the build will fall back to using npm instead as long as you have a package.json and package-lock.json.

Please Note: If you are not currently experiencing the problem on a site using yarn and an older build image, it is likely due to the caching of a yarn binary with your dependencies; we recommend against using clear cache option with retrying a deploy right now as that will remove the cached version!

2 Likes

Updating here for anyone not following the status page: the issue has now been fixed. The fix applies automatically for all sites using the Xenial build image, but sites using the Trusty image will need to update to Xenial or Focal in order to mitigate.

To update your build image, follow the migration guide below:

2 Likes