You are not logged in.
Pages: 1
Hi I just installed Arch on a new machine and I am having troubles with ca-certificates.
These are my symptoms:
When I try to wget something over https I get the following error
[osboxes@osboxes ~]$ wget https://aur.archlinux.org/cgit/aur.git/snapshot/dropbox.tar.gz
--2015-11-16 19:04:49-- https://aur.archlinux.org/cgit/aur.git/snapshot/dropbox.tar.gz
Resolving aur.archlinux.org (aur.archlinux.org)... 5.9.250.164, 2a01:4f8:160:3033::2
Connecting to aur.archlinux.org (aur.archlinux.org)|5.9.250.164|:443... connected.
ERROR: cannot verify aur.archlinux.org's certificate, issued by ‘[REDACTED]’:
Unable to locally verify the issuer's authority.
To connect to aur.archlinux.org insecurely, use `--no-check-certificate'.
Using package-query-git and yaourt
[osboxes@osboxes ~]$ yaourt -S dropbox
curl error: Peer certificate cannot be authenticated with given CA certificates
Using Chromium and visiting a webpage via https I get a Privacy Error
Your Connection is not private
Attackers might be trying to steal your information from www.google.com (for example, passwords, messages, or credit cards)
NET:ERR_CERT_AUTHORITY_INVALID
I have never had problems with certificates. What could I do?
Non native English speaker [in, on, at are the same to me]
Offline
Try to install arch keyring by
pacman -S archlinux-keyring
Offline
Try to install arch keyring by
pacman -S archlinux-keyring
I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?
(1/1) reinstalling archlinux-keyring [#########################################################################################] 100%
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
-> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
-> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
-> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
-> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
-> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
-> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
-> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
-> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
-> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
-> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
-> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
-> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
-> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
-> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
-> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
-> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
==> Updating trust database...
gpg: next trustdb check due at 2016-01-22
Non native English speaker [in, on, at are the same to me]
Offline
I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?
The archlinux-keyring is not connected to ca-certificates.
ca-certificates should be supplied by the package of the same name.
Offline
tokoro wrote:I tried reinstalling it. It signed a few keys and disabled some more, but did not change anything. What am I missing?
The archlinux-keyring is not connected to ca-certificates.
ca-certificates should be supplied by the package of the same name.
I have both of them installed, yet the problem persists.
Non native English speaker [in, on, at are the same to me]
Offline
$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A
If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.
Offline
$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A
If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.
It looks all well
[osboxes@osboxes ~]$ openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=47:1B:0A:24:87:4B:46:62:38:C5:15:7E:48:33:CD:FD:55:EA:78:A4
[osboxes@osboxes ~]$ ls /etc/ca-certificates/extracted/
ca-bundle.trust.crt cadir email-ca-bundle.pem objsign-ca-bundle.pem tls-ca-bundle.pem
any other ideas? It is barely usable this way
Non native English speaker [in, on, at are the same to me]
Offline
loqs wrote:$openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=F7:E1:35:8D:8D:2D:D5:15:53:31:CF:DE:A9:C6:AE:D3:89:5C:5B:7A
If you get the above fingerprint then I would look in /etc/ca-certificates/extracted/ if ca-bundle.trust.crt was generated successfully.
It looks all well
[osboxes@osboxes ~]$ openssl s_client -host aur.archlinux.org -port 443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin SHA1 Fingerprint=47:1B:0A:24:87:4B:46:62:38:C5:15:7E:48:33:CD:FD:55:EA:78:A4 [osboxes@osboxes ~]$ ls /etc/ca-certificates/extracted/ ca-bundle.trust.crt cadir email-ca-bundle.pem objsign-ca-bundle.pem tls-ca-bundle.pem
any other ideas? It is barely usable this way
The SHA1 Fingerprint you produced was different to the one I produced meaning the certificates are different.
The certificate chains should also be different (assuming my theory is correct and you are being offered a different certificate)
$ openssl s_client -host aur.archlinux.org -port 443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA
verify return:1
depth=0 description = sPulR5zVOvr94iP7, C = US, ST = Illinois, L = Chicago, O = Aaron Griffin, CN = *.archlinux.org, emailAddress = webmaster@archlinux.org
verify return:1
---
Certificate chain
0 s:/description=sPulR5zVOvr94iP7/C=US/ST=Illinois/L=Chicago/O=Aaron Griffin/CN=*.archlinux.org/emailAddress=webmaster@archlinux.org
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Offline
Pages: 1