[SOLVED] Empty ca certs blocking pacman/git with https

itskiasoc5 · 2022-01-08 21:04:03

Upgraded yesterday and now pacman with https mirror and git operations do not work. Web browsing with firefox/chromium still work, hence why I can post this.

% asp update
==> updating remote 'packages'
fatal: unable to access 'https://github.com/archlinux/svntogit-packages.git/': error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
==> updating remote 'community'
fatal: unable to access 'https://github.com/archlinux/svntogit-community.git/': error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none

% sudo pacman -Syu
:: Synchronizing package databases...
 core.db failed to download
 extra.db failed to download
 community.db failed to download
 multilib.db failed to download
 custom is up to date
error: failed retrieving file 'extra.db' from mirror.pkgbuild.com : error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file 'community.db' from mirror.pkgbuild.com : error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file 'multilib.db' from mirror.pkgbuild.com : error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
warning: too many errors from mirror.pkgbuild.com, skipping for the remainder of this transaction
error: failed retrieving file 'core.db' from mirror.pkgbuild.com : error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed to synchronize all databases (download library error)

When I cat /etc/ca-certificates/extracted/ca-bundle.trust.crt the file is empty. Reinstalling ca-certificates package does not do anything. Running update-ca-trust also does not do anything. In both cases /etc/ca-certificates/extracted/ca-bundle.trust.crt is still empty. Help is appreciated.

Last edited by itskiasoc5 (2022-01-10 20:20:25)

progandy · 2022-01-08 21:09:12

Have you tried to reinstall ca-certificates-mozilla and ca-certificates-utils? Afterwards run update-ca-trust again.

/etc/ssl/certs/ca-certificates.crt should be a symlink to ../../ca-certificates/extracted/tls-ca-bundle.pem

Last edited by progandy (2022-01-08 21:10:54)

itskiasoc5 · 2022-01-08 21:18:30

Confirmed that /etc/ssl/certs/ca-certificates.crt is a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.

Still empty after reinstall of ca-certificates-mozilla and ca-certificates-utils plus running update-ca-trust.

itskiasoc5 · 2022-01-09 04:07:42

/etc/ca-certificates/extracted/*.pem are all empty as well.

itskiasoc5 · 2022-01-10 03:28:53

As a temporary fix I installed junest and copied /etc/ca-certificates/extracted/tls-ca-bundle.pem from junest to my host system.

I read the Arch wiki page on TLS to understand more. So /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit is where the ca certs are pulled from, that is installed correctly via the ca-certificates package. However the p11-kit modules are not loaded on my system, even though libp11-kit is installed correcly. Whereas in junest the p11-kit modules are loaded correctly. Not sure what is going on here.

Host:

% p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23

Junest:

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.24
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.24
        flags:
               write-protected
               token-initialized

progandy · 2022-01-10 04:48:30

p11-kit Version 23?

pacman -Qs p11-kit

and maybe run and check

pacman -Qkk p11-kit libp11-kit
pacman -Qkk

Last edited by progandy (2022-01-10 04:50:06)

seth · 2022-01-10 08:08:13

custom is up to date

Also what's the custom repo and what packages does it provide?

paclist custom # paclist is a shell script in pacman-contrib

itskiasoc5 · 2022-01-10 19:36:25

Results of commands are here: https://termbin.com/de4h

Custom repo is for aurutils.

I forgot to mention that I set umask 77 in my zshrc.

progandy · 2022-01-10 19:59:25

The pacman tests look good. Something is strange, though: "p11-kit list-modules" shows v0.23, but according to pacman v0.24 is installed. Do you have an outdated copy in e.g. /usr/local?

which p11-kit

itskiasoc5 · 2022-01-10 20:18:32

Aha that was it, thanks.

% which p11-kit
/home/kiasoc5/.guix-profile/bin/p11-kit

I had guix installed to my local profile, which pulls in p11-kit@0.23.22.

Solution: guix uninstall guix

% which p11-kit
/usr/bin/p11-kit

Now update-ca-trust works.

Last edited by itskiasoc5 (2022-01-10 20:19:43)

Arch Linux

#1 2022-01-08 21:04:03

[SOLVED] Empty ca certs blocking pacman/git with https

#2 2022-01-08 21:09:12

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#3 2022-01-08 21:18:30

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#4 2022-01-09 04:07:42

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#5 2022-01-10 03:28:53

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#6 2022-01-10 04:48:30

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#7 2022-01-10 08:08:13

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#8 2022-01-10 19:36:25

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#9 2022-01-10 19:59:25

Re: [SOLVED] Empty ca certs blocking pacman/git with https

#10 2022-01-10 20:18:32

Re: [SOLVED] Empty ca certs blocking pacman/git with https

Board footer