You are not logged in.
Pages: 1
Hello,
I just wanted some advice about dealing with ssl cert errors when updating/installing packages.
I had the error when installling virtualbox (option 2 when prompted). I got it for the domain cicku.me.
As far as I can tell this was a one time issue solely for that domain, no others failed for me.
I since used reflector to regen my mirrorlist and remove the cicku.me domain.
So, is this sorta thing just a rare issue you may encounter on Linux from time to time?
What is the best course of action? Is it evidence of a system breach?
My understanding is that the https connection failed entirely and ssl certs did their job and protecting the system.
I would be grateful for advice on the matter.
Thanks
Offline
This has nothing to do with Linux. The maintainer or administrator of that page failed to renew the certificate on time.
(Probably, but there are many other possibilities. However, none have a direct connection to Linux.)
Offline
This has nothing to do with Linux. The maintainer or administrator of that page failed to renew the certificate on time.
(Probably, but there are many other possibilities. However, none have a direct connection to Linux.)
Thanks for your reply.
I did think it was an expired cert.
I know it isn't unique to Linux itself I mean it is an issue that could arise from pacman aka package mangers themselve as they make https connections.
I am more wondering about the practise and action to take after such an event. Mainly security concerns.
Offline
Two kind of ssl. it can be self-signed ssl or public-signed ssl. accept the ssl at your own risk. it is alright if it just for a surfing internetpage. don't use an insecure ssl for any online purchase.
"You're never too old to turn your dreams into reality."
Offline
Two kind of ssl. it can be self-signed ssl or public-signed ssl. accept the ssl at your own risk. it is alright if it just for a surfing internetpage. don't use an insecure ssl for any online purchase.
Thanks for your reply.
I am using the default ones that arch uses. I think the ca-certificates package.
All I am wondering is, when/if you get an ssl error when updating/install software what is the best practise to follow? Does said error indicate any level of local system compromise?
My assumption thus far has been that the error stopped me connecting to a unsecure domain and removing said domain from mirrorlist is a good idea.
Offline
Your mirrorlist contains many mirrors. Pacman will try sequentially and uses the first one that is working.
My assumption thus far has been that the error stopped me connecting to a unsecure domain and removing said domain from mirrorlist is a good idea.
You are 100% correct. And I really appreciate your understanding. Typically, new users will complain about this type of error and try to circumvent (e.g., accept the broken certificate). You, on the other hand, understood the concept and acted accordingly.
All I am wondering is, when/if you get an ssl error when updating/install software what is the best practise to follow? Does said error indicate any level of local system compromise?
It always could be. However, it would typically be reverse. A locally compromised system would not show you a warning and download packages from a hijacked server where it blindly accepts the certificates.
However, a local compromise could manifest in any possible way.
Last edited by mithrial (2025-05-24 16:25:02)
Offline
Your mirrorlist contains many mirrors. Pacman will try sequentially and uses the first one that is working.
OneAndOnlyRoot wrote:My assumption thus far has been that the error stopped me connecting to a unsecure domain and removing said domain from mirrorlist is a good idea.
You are 100% correct. And I really appreciate your understanding. Typically, new users will complain about this type of error and try to circumvent (e.g., accept the broken certificate). You, on the other hand, understood the concept and acted accordingly.
OneAndOnlyRoot wrote:All I am wondering is, when/if you get an ssl error when updating/install software what is the best practise to follow? Does said error indicate any level of local system compromise?
It always could be. However, it would typically be reverse. A locally compromised system would not show you a warning and download packages from a hijacked server where it blindly accepts the certificates.
However, a local compromise could manifest in any possible way.
Thank you for your detailed answer!
As I suspected then, the error itself did not cause compromised, the error actually (possibly) prevent such thing from occuring.
Is the best practise to remove the affected mirror? I would assume investigation is only needed should it be more wide spread?
Perhaps just a rare occurance to deal with.
Offline
It doesn't necessarily mean that the server was compromised. Sometimes, sysadmins need sleep too and night forget to renew the certificate.
It's good that pacman doesn't connect, however, I wouldn't treat it as an attack.
You could remove those mirrors from your list. That might be a valid approach.
Offline
It doesn't necessarily mean that the server was compromised. Sometimes, sysadmins need sleep too and night forget to renew the certificate.
It's good that pacman doesn't connect, however, I wouldn't treat it as an attack.You could remove those mirrors from your list. That might be a valid approach.
Ok, thanks so much for your advice.
Greatly Appreciated!
Offline
It doesn't necessarily mean that the server was compromised. Sometimes, sysadmins need sleep too and night forget to renew the certificate.
It's good that pacman doesn't connect, however, I wouldn't treat it as an attack.You could remove those mirrors from your list. That might be a valid approach.
sorry to revive this but I did further testing.
The domain I had issue with is cicku.me quite a high rated mirror it seems.
On Arch even with systemtime being upto date ssl fails in firefox, pacman and reflector.
But in Linux Mint no issue fully verified.
The error is usually failed to get local issuer. Firefox warned it was an unsafe site.
I made sure the date/time was synced by doing timedatectl set-ntp true it all looks right to me. Did not work sadly.
No clue what thats about, any ideas?
Thanks
Last edited by OneAndOnlyRoot (Yesterday 23:43:34)
Offline
Pages: 1