OPEN FOSSA APP

CLI Considerations

Key Considerations for CLI Usage: The following points are essential to bear in mind when utilizing the CLI. This compilation is derived from our collaborative experience with numerous users in configuring the FOSSA CLI within a build environment.

Suggest Edits

SSL Certificates

If you used the CLI, you may have ran into this SSL cert issue, looked into our documentation and tried out some of the suggestions. 

A socket-level error occurred when accessing the FOSSA API:

HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))

These errors are usually related to TLS issues or the host being unreachable.
For troubleshooting steps with TLS issues, please refer to:
	- https://github.com/fossas/fossa-cli/blob/master/docs/walkthroughs/ssl-cert.md

If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com

If you want a more technical deep dive in how we retrieve your machine's certs in order to upload a FOSSA scan from your machine, please take a look into our certificate logic on GitHub. For example, click here to discover our logic for cert retrieval on MacOS. In summary, we look into following particular environment variables first before we use a system store to retrieve signed certificates:

  • SSL_CERT_FILE
  • SSL_CERT_DIR
  • SYSTEM_CERTIFICATE_PATH (Linux only)

Please consider these questions when troubleshooting SSL certificate issues:

  • If your organization is on SaaS, is my environment able to access app.fossa.com?
    • If so, confirm you can run curl -v app.fossa.com or similar in your environment. Review what CAfile points to. Does the chain contain the root certificate? This may be a question for your IT/security team to confirm.
  • Related to the first point, is SSL_CERT_FILE set to a path in which the cert chain doesn't include the root cert? If you're working at a company in which your IT team provisions particular cert chains, it may be possible the cert chain cannot be used when uploading a scan to FOSSA via the CLI. To workaround this:
    • Clear SSL_CERT_FILE (or whichever environment variable is applicable), so that FOSSA looks into the system store for the signed certificates.
      • (Optional) If you have admin privileges on your laptop, you can add the cert chain to your system store. For example, on MacOS, you can run this command:
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/SystemRootCertificates.keychain" "/Users/Shared/Some_Global_Chain.crt"

Updated 6 months ago