[AUR] Error when updating google-chrome-beta / cURL SSL certificates

lervag · 2018-08-31 10:44:37

For some reason, probably after an update in August, I am no longer able to updgrade google-chrome-beta from the AUR. The problem is with cURL not downloading, and I'm stuck at this:

curl -o test.deb "https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I've tried to fetch and then use the latest certificates with

# Fetch most recent cacert.pem
curl -o cacert.pem https://curl.haxx.se/ca/cacert.pem

# Use it for the above curl command
curl --cacert cacert.pem -o test.deb ...

This still gives the same error. I would be very happy if someone could guide me in the correct direction.

Note: This happens on my computer at work, but on my personal laptop at home things still work as expected. These are configured not very far from indentical, and I don't understand what difference could explain this problem.

mxfm · 2018-09-01 10:42:14

Perhaps it is related to removal of CAcert root certificates in late August? The first command successfully downloads the file without any errors on my laptop. Are you properly upgraded?

lervag · 2018-09-01 12:53:36

Thanks for the suggestion and info. I do not believe this is the problem though.

Someone at work suggested that it could be due to our BlueCoat proxy. However, the link in my original post works fine and starts the download if I insert it in google-chrome. So it seems there is a difference between the certificates that are known to cURL and google-chrome.

loqs · 2018-09-01 15:51:57

Does this match the output you can generate on the affected system?

$ openssl s_client -connect dl.google.com:https
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---

Edit:
grammar missing the

Last edited by loqs (2018-09-01 15:52:19)

lervag · 2018-09-03 07:05:30

@loqs Yes, except on my end it says "CONNECTED(0000004)".

I've basically verified that the problem must be related to my works network settings. I connected from my home PC through VPN and get the same problem. On my home network, everything works fine.

I am not aware of anything that changed on our works network settings recently, so I am curious if this could be due to a change in a relevant Arch package?

jasonwryan · 2018-09-03 07:17:48

Moving to AUR Issues

loqs · 2018-09-03 13:51:53

What is the output on the affected system of

curl -o /dev/null -v "https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb"

lervag · 2018-09-03 16:17:50

The output is:

> curl -o /dev/null -v "https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb"
                
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 216.58.211.14...
* TCP_NODELAY set
* Connected to dl.google.com (216.58.211.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [211 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2928 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

loqs · 2018-09-03 18:51:12

Perhaps adding -k will reveal what certificate curl received but does not trust.

curl -o /dev/null -v -k "https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb"

lervag · 2018-09-03 21:11:34

I assume the following output might reveal something, but it's quite cryptic to me:

> curl -o /dev/null -k -v "https://dl.google.com/linux/direct/google-chrome-beta_current_amd64.deb"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 216.58.211.14...
* TCP_NODELAY set
* Connected to dl.google.com (216.58.211.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [211 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2928 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [205 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
*  start date: Aug 14 07:46:14 2018 GMT
*  expire date: Oct 23 07:38:00 2018 GMT
*  issuer: C=NO; O=sintef; CN=sintef-proxy
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
} [5 bytes data]

This seems to verify that the company proxy is disrupting this somehow. But as I said, I can still download the file fine from google-chrome, and this command used to work in July. The start date is probably relevant here, also. But I can't remember having added a new certificate on that date...

loqs · 2018-09-03 21:37:29

issuer: C=NO; O=sintef; CN=sintef-proxy

Yes the certificate is issued by a proxy and that certificate is not in the certificate store.
If you visit www.google.com using google-chrome click the word secure to the left of the address then certificate then details certificate hierarchy the top level object should be Builtin Object Token:GlobalSign Root CA - R2

lervag · 2018-09-04 07:27:04

Yes, I can confirm that the certificate hierarchy top level object is "Builtin Object Token:GlobalSign Root CA - R2".

Lone_Wolf · 2018-09-04 08:35:56

Sounds like google-chrome bypasses the proxy, but curl doesn't .

The corporate proxy may be configured to let google-chrome pass.
On the other hand, google-chrome has bypassed local settings on purpose without informing anyone in the past.
I'd check with your IT department.

lervag · 2018-09-04 08:44:13

Thanks for good input, everyone! I'll talk with my local IT department.

lervag · 2018-09-10 06:00:06

Suddenly, everything works again now. On my side, the difference is that I've updated packages again. I don't think there is any change from the IT department.

In any case, thanks for the friendly and helpful input, everyone!

Arch Linux

#1 2018-08-31 10:44:37

[AUR] Error when updating google-chrome-beta / cURL SSL certificates

#2 2018-09-01 10:42:14

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#3 2018-09-01 12:53:36

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#4 2018-09-01 15:51:57

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#5 2018-09-03 07:05:30

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#6 2018-09-03 07:17:48

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#7 2018-09-03 13:51:53

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#8 2018-09-03 16:17:50

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#9 2018-09-03 18:51:12

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#10 2018-09-03 21:11:34

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#11 2018-09-03 21:37:29

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#12 2018-09-04 07:27:04

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#13 2018-09-04 08:35:56

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#14 2018-09-04 08:44:13

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

#15 2018-09-10 06:00:06

Re: [AUR] Error when updating google-chrome-beta / cURL SSL certificates

Board footer