You are not logged in.

#1 2020-09-07 19:30:30

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Pacman setting to ignore SSL certificate problems [SOLVED]

I faced this a few years ago, and at the time, found a setting on the router itself.  I do not have such a setting now so am wondering if there is something I can add to my pacman.conf that would apply solely to the [router] repo to avoid this.

# pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
error: failed retrieving file 'router.db' from 10.1.2.1 : SSL certificate problem: self signed certificate
error: failed to update router (download library error)
error: failed to synchronize all databases

And the corresponding entry within /etc/pacman.conf:

[router]
SigLevel = PackageOptional
Server = http://10.1.2.1/repo/x86_64/

Last edited by graysky (2020-09-08 13:17:37)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2020-09-07 20:07:54

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

Can you configure the router to use a certificate you produced signed by a custom certificate authority?  Then you would need to add the CA's public key to the system's certificate store.

Offline

#3 2020-09-07 23:23:32

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

@loqs - Perhaps... I just learned that I can simply disable the redirect on the router (OpenWRT).  I will mark this solved although I am still curious if there is an option to have pacman ignore it rather than bomb out.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2020-09-07 23:31:05

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

You can set your own XferCommand in pacman.conf, so it's a matter of getting curl/wget to ignore it, not pacman.

Offline

#5 2020-09-08 11:00:58

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

Scimmia wrote:

You can set your own XferCommand in pacman.conf, so it's a matter of getting curl/wget to ignore it, not pacman.

I disagree .

The url for router repo is clearly marked as http so validity and/or presence of ssl certificates should not be checked at all.
(Latest mirrorlist also still has lots of http urls)

If the standard pacman transfer command can't handle this usecase anymore, then in my opinion pacman has a problem.

Thank you for pointing that out, schard .
I misinterpreted the situation and the failure is not due to pacman / pacman standard transfer command.

Apologies for the noise.

Last edited by Lone_Wolf (2020-09-08 11:19:34)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#6 2020-09-08 11:09:10

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

@Lone_Wolf: In post #3 OP admitted to having a http→https redirection in place. So pacman is not at fault here.
E.g. Try accessing http://bbs.archlinux.org/
You'll be redirected to the https:// page server-side (301).

Offline

#7 2020-09-08 13:17:07

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Pacman setting to ignore SSL certificate problems [SOLVED]

Scimmia wrote:

You can set your own XferCommand in pacman.conf, so it's a matter of getting curl/wget to ignore it, not pacman.

Thanks for the tip, that makes sense.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

Board footer

Powered by FluxBB