Arch Linux

raydenz

Member

Registered: 2016-02-28

Posts: 9

Paru SSL error

hello

when i use paru i have this problem
* i already remove paru and reinstall it with YAY but i have the same error
* i already trusted the certificate (when i curl -v https://aur.archlinux.org/rpc it works well)

Can you help please?

> paru -Ss posh

error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

thank you

regards,
Ray

WorMzy

Forum Moderator

From: Scotland

Registered: 2010-06-16

Posts: 11,928

Website

Re: Paru SSL error

Mod note: moving to AUR Issues

---

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

raydenz

Member

Registered: 2016-02-28

Posts: 9

Re: Paru SSL error

Nobody can help please?

seth

Member

Registered: 2012-09-03

Posts: 52,199

Re: Paru SSL error

i already remove paru and reinstall it with YAY but i have the same error

Did you rebuild it? This used to be a bug in rust/cargo.
And using yay to install paru is like using a scredriver to hammer a screw into your knee.
=> https://wiki.archlinux.org/title/Arch_User_Repository

i already trusted the certificate

What *exactly* does that mean? *You* trusted what certificate?

 openssl s_client -showcerts -connect aur.archlinux.org:443

*You* are not  supposed to trust anything here yourself!

pacman -Qs ca-cert

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

raydenz

Member

Registered: 2016-02-28

Posts: 9

Re: Paru SSL error

Hello Seth
Thank you for your response

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

I have installed paru-bin too, and same error

Here the result of "pacman -Qs ca-cert"

local/ca-certificates 20220905-1
    Common CA certificates (default providers)
local/ca-certificates-mozilla 3.99-1
    Mozilla's set of trusted CA certificates
local/ca-certificates-utils 20220905-1
    Common CA certificates (utilities)

regards,

Last edited by raydenz (2024-03-24 11:41:10)

seth

Member

Registered: 2012-09-03

Posts: 52,199

Re: Paru SSL error

Were there any build errors, eg. https://bbs.archlinux.org/viewtopic.php?id=294150 ?
Rust is up-to-date?

pacman -Qs rust

You have not elaborated on

i already trusted the certificate

What exactly did you trust how where and why?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 29,611

Website

Re: Paru SSL error

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

But those aren't the actual commands you used to do so.  Certainly we can fill in the gaps to add what we assume you did - but if we're assuming things anyways, there's no point to actually list any commands.  Do not give specific commands used unless they are the ones you actually used as this indicates you're misrepresenting something - and if you're misrepresenting a small thing how do we now there aren't big things that are not as they seem to be?

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

raydenz

Member

Registered: 2016-02-28

Posts: 9

Re: Paru SSL error

hello
@Seth

Rust is up-to-date?

Rust is up-to-date

pacman -Qs rust
local/rust 1:1.77.0-1
    Systems programming language focused on safety, speed and concurrency

What exactly did you trust how where and why?

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

 /etc/ca-certificates/trust-source/anchors/
 update-ca-trust

@Trilby
These are exactly the commands i did.

regards
Ray

Funny0facer

Member

From: Germany

Registered: 2022-12-03

Posts: 42

Re: Paru SSL error

so... you did not cd into the paru directory between git clone and makepkg?

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 29,611

Website

Re: Paru SSL error

These are exactly the commands i did.

Then you didn't rebuild / re-install paru (or if you did, perhaps you rebuilt a stale clone if by total coincidence you ran those commands from an existing AUR checkout).

---

"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

seth

Member

Registered: 2012-09-03

Posts: 52,199

Re: Paru SSL error

Let's just see what the OP actually did when

pacman -Qi paru

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

raydenz

Member

Registered: 2016-02-28

Posts: 9

Re: Paru SSL error

Let's just see what the OP actually did when

pacman -Qi paru

pacman -Qi paru
Name            : paru
Version         : 2.0.3-1
Description     : Feature packed AUR helper
Architecture    : x86_64
URL             : https://github.com/morganamilo/paru
Licenses        : GPL-3.0-or-later
Groups          : None
Provides        : None
Depends On      : git  pacman  libalpm.so>=14-64
Optional Deps   : bat: colored pkgbuild printing [installed]
                  devtools: build in chroot and downloading pkgbuilds
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 8,57 MiB
Packager        : Unknown Packager
Build Date      : dim. 24 mars 2024 12:22:59
Install Date    : dim. 24 mars 2024 12:28:56
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : None

regards,

seth

Member

Registered: 2012-09-03

Posts: 52,199

Re: Paru SSL error

So it's the current version of paru, built and installed soemwhen around when you posted #5

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

raydenz

Member

Registered: 2016-02-28

Posts: 9

Re: Paru SSL error

So it's the current version of paru, built and installed soemwhen around when you posted #5

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??

- in the browser : https://aur.archlinux.org/
- i export the certificate from google chrome (clik on "certificate is valid" )
- move in /etc/ca-certificates/trust-source/anchors/
- sudo update-ca-trust

But it does not change, i removed it now.
I know i don't need to do that it was just a test. Let's forget this.

Same Error

paru -Ss paru
error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

you can see "unable to get the issuer certificate" but the issuer is R3, and i already have it.

curl works well (yay works well too)
i am using a corporate proxy but even without proxy i have the same problem. by the way "yay" works well with or without proxy

curl -vvv https://aur.archlinux.org/rpc
* Uses proxy env variable no_proxy == 'xxxxxxxxxxxxxxxxxx'
* Uses proxy env variable https_proxy == 'http://u142158:xxxxxxxx@internetv2.encara.local.ads:8080'
* Host internetv2.encara.local.ads:8080 was resolved.
* IPv6: (none)
* IPv4: 10.38.252.65, 10.38.253.65
*   Trying 10.38.252.65:8080...
* Connected to internetv2.encara.local.ads (10.38.252.65) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'u142158'
* Establish HTTP proxy tunnel to aur.archlinux.org:443
> CONNECT aur.archlinux.org:443 HTTP/1.1
> Host: aur.archlinux.org:443
> Proxy-Authorization: Basic dTE0MjE1ODpQYXBhc3NfMjdj
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection Established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=aur.archlinux.org
*  start date: Mar 11 22:47:13 2024 GMT
*  expire date: Jun  9 22:47:12 2024 GMT
*  subjectAltName: host "aur.archlinux.org" matched cert's "aur.archlinux.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://aur.archlinux.org/rpc
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: aur.archlinux.org]
* [HTTP/2] [1] [:path: /rpc]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /rpc HTTP/2
> Host: aur.archlinux.org
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 302 
< server: nginx
< date: Sun, 31 Mar 2024 10:15:08 GMT
< content-type: text/html; charset=utf-8
< content-length: 35
< location: /rpc/swagger
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< 
<a href="/rpc/swagger">Found</a>.

* Connection #0 to host internetv2.encara.local.ads left intact

the problem is somwhere else

Last edited by raydenz (2024-03-31 10:33:04)

seth

Member

Registered: 2012-09-03

Posts: 52,199

Re: Paru SSL error

I know i don't need to do that it was just a test. Let's forget this.

Yes, I just wanted to make sure you didn't end up adding some bogus certificate to your database.

Wild guess: wht if you disable https://wiki.archlinux.org/title/IPv6#Disable_IPv6 "ipv6.disable=1"?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc