I am having troubles with ca-certificates

tokoro · 2015-11-16 19:15:31

Hi I just installed Arch on a new machine and I am having troubles with ca-certificates.

These are my symptoms:

When I try to wget something over https I get the following error

[osboxes@osboxes ~]$ wget https://aur.archlinux.org/cgit/aur.git/snapshot/dropbox.tar.gz
--2015-11-16 19:04:49--  https://aur.archlinux.org/cgit/aur.git/snapshot/dropbox.tar.gz
Resolving aur.archlinux.org (aur.archlinux.org)... 5.9.250.164, 2a01:4f8:160:3033::2
Connecting to aur.archlinux.org (aur.archlinux.org)|5.9.250.164|:443... connected.
ERROR: cannot verify aur.archlinux.org's certificate, issued by ‘[REDACTED]’:
  Unable to locally verify the issuer's authority.
To connect to aur.archlinux.org insecurely, use `--no-check-certificate'.

Using package-query-git and yaourt

[osboxes@osboxes ~]$ yaourt -S dropbox
curl error: Peer certificate cannot be authenticated with given CA certificates

Using Chromium and visiting a webpage via https I get a Privacy Error

Your Connection is not private
Attackers might be trying to steal your information from www.google.com (for example, passwords, messages, or credit cards)
NET:ERR_CERT_AUTHORITY_INVALID

I have never had problems with certificates. What could I do?

kvonlinee · 2015-11-16 20:27:40

Try to install arch keyring by
pacman -S archlinux-keyring

tokoro · 2015-11-16 21:56:39

kvonlinee wrote:

Try to install arch keyring by
pacman -S archlinux-keyring

I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?

(1/1) reinstalling archlinux-keyring                                                                                                             [#########################################################################################] 100%
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
  -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
  -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
  -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
  -> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
  -> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
  -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  -> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
  -> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
  -> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
  -> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
  -> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
  -> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
  -> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
  -> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
==> Updating trust database...
gpg: next trustdb check due at 2016-01-22

loqs · 2015-11-16 22:01:32

tokoro wrote:

I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?

The archlinux-keyring is not connected to ca-certificates.
ca-certificates should be supplied by the package of the same name.

tokoro · 2015-11-16 22:17:09

loqs wrote:

tokoro wrote:
I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?
The archlinux-keyring is not connected to ca-certificates.
ca-certificates should be supplied by the package of the same name.

I have both of them installed, yet the problem persists.

loqs · 2015-11-16 23:50:31

$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A

If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.

tokoro · 2015-11-17 00:16:01

loqs wrote:

$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A
If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.

It looks all well

[osboxes@osboxes ~]$ openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=47:1B:0A:24:87:4B:46:62:38:C5:15:7E:48:33:CD:FD:55:EA:78:A4
[osboxes@osboxes ~]$ ls /etc/ca-certificates/extracted/
ca-bundle.trust.crt  cadir  email-ca-bundle.pem  objsign-ca-bundle.pem  tls-ca-bundle.pem

any other ideas? It is barely usable this way

loqs · 2015-11-17 00:54:55

tokoro wrote:

loqs wrote:

$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A
If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.

It looks all well

[osboxes@osboxes ~]$ openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=47:1B:0A:24:87:4B:46:62:38:C5:15:7E:48:33:CD:FD:55:EA:78:A4
[osboxes@osboxes ~]$ ls /etc/ca-certificates/extracted/
ca-bundle.trust.crt  cadir  email-ca-bundle.pem  objsign-ca-bundle.pem  tls-ca-bundle.pem

any other ideas? It is barely usable this way

The SHA1 Fingerprint you produced was different to the one I produced meaning the certificates are different.
The certificate chains should also be different (assuming my theory is correct and you are being offered a different certificate)

$ openssl s_client -host aur.archlinux.org -port 443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 description = sPulR5zVOvr94iP7, C = US, ST = Illinois, L = Chicago, O = Aaron Griffin, CN = *.archlinux.org, emailAddress = webmaster@archlinux.org
verify return:1
---
Certificate chain
 0 s:/description=sPulR5zVOvr94iP7/C=US/ST=Illinois/L=Chicago/O=Aaron Griffin/CN=*.archlinux.org/emailAddress=webmaster@archlinux.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

Arch Linux

#1 2015-11-16 19:15:31

I am having troubles with ca-certificates

#2 2015-11-16 20:27:40

Re: I am having troubles with ca-certificates

#3 2015-11-16 21:56:39

Re: I am having troubles with ca-certificates

#4 2015-11-16 22:01:32

Re: I am having troubles with ca-certificates

#5 2015-11-16 22:17:09

Re: I am having troubles with ca-certificates

#6 2015-11-16 23:50:31

Re: I am having troubles with ca-certificates

#7 2015-11-17 00:16:01

Re: I am having troubles with ca-certificates

#8 2015-11-17 00:54:55

Re: I am having troubles with ca-certificates

Board footer