Paru SSL error

raydenz · 2024-03-09 14:40:27

hello

when i use paru i have this problem
* i already remove paru and reinstall it with YAY but i have the same error
* i already trusted the certificate (when i curl -v https://aur.archlinux.org/rpc it works well)

Can you help please?

> paru -Ss posh

error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

thank you

regards,
Ray

WorMzy · 2024-03-09 17:19:02

Mod note: moving to AUR Issues

raydenz · 2024-03-23 13:32:24

Nobody can help please?

seth · 2024-03-23 14:21:26

i already remove paru and reinstall it with YAY but i have the same error

Did you rebuild it? This used to be a bug in rust/cargo.
And using yay to install paru is like using a scredriver to hammer a screw into your knee.
=> https://wiki.archlinux.org/title/Arch_User_Repository

i already trusted the certificate

What *exactly* does that mean? *You* trusted what certificate?

 openssl s_client -showcerts -connect aur.archlinux.org:443

*You* are not supposed to trust anything here yourself!

pacman -Qs ca-cert

raydenz · 2024-03-24 11:36:27

Hello Seth
Thank you for your response

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

I have installed paru-bin too, and same error

Here the result of "pacman -Qs ca-cert"

local/ca-certificates 20220905-1
    Common CA certificates (default providers)
local/ca-certificates-mozilla 3.99-1
    Mozilla's set of trusted CA certificates
local/ca-certificates-utils 20220905-1
    Common CA certificates (utilities)

regards,

Last edited by raydenz (2024-03-24 11:41:10)

seth · 2024-03-24 13:46:18

Were there any build errors, eg. https://bbs.archlinux.org/viewtopic.php?id=294150 ?
Rust is up-to-date?

pacman -Qs rust

You have not elaborated on

i already trusted the certificate

What exactly did you trust how where and why?

Trilby · 2024-03-24 14:04:12

raydenz wrote:

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

But those aren't the actual commands you used to do so. Certainly we can fill in the gaps to add what we assume you did - but if we're assuming things anyways, there's no point to actually list any commands. Do not give specific commands used unless they are the ones you actually used as this indicates you're misrepresenting something - and if you're misrepresenting a small thing how do we now there aren't big things that are not as they seem to be?

raydenz · 2024-03-25 10:00:53

hello
@Seth

Rust is up-to-date?

Rust is up-to-date

pacman -Qs rust
local/rust 1:1.77.0-1
    Systems programming language focused on safety, speed and concurrency

What exactly did you trust how where and why?

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

 /etc/ca-certificates/trust-source/anchors/
 update-ca-trust

@Trilby
These are exactly the commands i did.

regards
Ray

Funny0facer · 2024-03-25 11:44:47

so... you did not cd into the paru directory between git clone and makepkg?

Trilby · 2024-03-25 13:04:26

raydenz wrote:

These are exactly the commands i did.

Then you didn't rebuild / re-install paru (or if you did, perhaps you rebuilt a stale clone if by total coincidence you ran those commands from an existing AUR checkout).

seth · 2024-03-25 14:58:34

Let's just see what the OP actually did when

pacman -Qi paru

raydenz · 2024-03-30 20:08:44

seth wrote:

Let's just see what the OP actually did when
pacman -Qi paru

pacman -Qi paru
Name            : paru
Version         : 2.0.3-1
Description     : Feature packed AUR helper
Architecture    : x86_64
URL             : https://github.com/morganamilo/paru
Licenses        : GPL-3.0-or-later
Groups          : None
Provides        : None
Depends On      : git  pacman  libalpm.so>=14-64
Optional Deps   : bat: colored pkgbuild printing [installed]
                  devtools: build in chroot and downloading pkgbuilds
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 8,57 MiB
Packager        : Unknown Packager
Build Date      : dim. 24 mars 2024 12:22:59
Install Date    : dim. 24 mars 2024 12:28:56
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : None

regards,

seth · 2024-03-30 23:36:27

So it's the current version of paru, built and installed soemwhen around when you posted #5

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??

raydenz · 2024-03-31 10:19:19

seth wrote:

So it's the current version of paru, built and installed soemwhen around when you posted #5
i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.
What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??

- in the browser : https://aur.archlinux.org/
- i export the certificate from google chrome (clik on "certificate is valid" )
- move in /etc/ca-certificates/trust-source/anchors/
- sudo update-ca-trust

But it does not change, i removed it now.
I know i don't need to do that it was just a test. Let's forget this.

Same Error

paru -Ss paru
error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

you can see "unable to get the issuer certificate" but the issuer is R3, and i already have it.

curl works well (yay works well too)
i am using a corporate proxy but even without proxy i have the same problem. by the way "yay" works well with or without proxy

curl -vvv https://aur.archlinux.org/rpc
* Uses proxy env variable no_proxy == 'xxxxxxxxxxxxxxxxxx'
* Uses proxy env variable https_proxy == 'http://u142158:xxxxxxxx@internetv2.encara.local.ads:8080'
* Host internetv2.encara.local.ads:8080 was resolved.
* IPv6: (none)
* IPv4: 10.38.252.65, 10.38.253.65
*   Trying 10.38.252.65:8080...
* Connected to internetv2.encara.local.ads (10.38.252.65) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'u142158'
* Establish HTTP proxy tunnel to aur.archlinux.org:443
> CONNECT aur.archlinux.org:443 HTTP/1.1
> Host: aur.archlinux.org:443
> Proxy-Authorization: Basic dTE0MjE1ODpQYXBhc3NfMjdj
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection Established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=aur.archlinux.org
*  start date: Mar 11 22:47:13 2024 GMT
*  expire date: Jun  9 22:47:12 2024 GMT
*  subjectAltName: host "aur.archlinux.org" matched cert's "aur.archlinux.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://aur.archlinux.org/rpc
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: aur.archlinux.org]
* [HTTP/2] [1] [:path: /rpc]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /rpc HTTP/2
> Host: aur.archlinux.org
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 302 
< server: nginx
< date: Sun, 31 Mar 2024 10:15:08 GMT
< content-type: text/html; charset=utf-8
< content-length: 35
< location: /rpc/swagger
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< 
<a href="/rpc/swagger">Found</a>.

* Connection #0 to host internetv2.encara.local.ads left intact

the problem is somwhere else

Last edited by raydenz (2024-03-31 10:33:04)

seth · 2024-03-31 14:15:31

I know i don't need to do that it was just a test. Let's forget this.

Yes, I just wanted to make sure you didn't end up adding some bogus certificate to your database.

Wild guess: wht if you disable https://wiki.archlinux.org/title/IPv6#Disable_IPv6 "ipv6.disable=1"?

raydenz · 2024-06-28 12:22:49

Hell @seth

i have the same issue

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1

paru -Qu

error: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

this it completely crazy, i cant figure out why i have this error

Last edited by raydenz (2024-06-28 12:23:38)

cryptearth · 2024-06-28 13:36:20

does anyone know which SSL lib paru uses? could be an upstream bug in the used lib

seth · 2024-06-28 16:01:04

Upstream bug: https://github.com/Morganamilo/paru/issues/1172

strace -f -o /tmp/paru.strace paru -Qu

Maybe we can see what certificates are read and which are not.

cryptearth · 2024-06-28 17:52:13

according to ssllabs.com aur.archlinux.org uses Let's Encrypt as CA - should work on all recent clients
so as it's not an issue with TLS itself it hints to an issue in the crypto lib - but according to aur paru depends on rust which depends on openssl
but as openssl works fine it coukd be that paru is linked against a different lib than what comes default

maybe a network trace with wireshark could reveal where the TLS alert is raised as all up to the final CHANGE_CIPHER_SPEC is just unencrypted meta data

JohnDVD · 2024-07-16 13:01:32

same error accurred after updates.
solution:

sudo pacman -Syu
sudo pacman-key --updatedb

Last edited by JohnDVD (2024-07-16 13:01:57)

raydenz · 2024-10-11 07:14:17

I updated my package recently and now it works
I don't know why. They have probably fixed somthing in a library or other dependance.. i dont know

my version is

paru --version
paru v2.0.4 - libalpm v15.0.0

Thanks a lot for all poeple who try to help me
I think we can close the issue

Last edited by raydenz (2024-10-11 07:14:52)

seth · 2024-10-11 07:55:09

Please mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Arch Linux

#1 2024-03-09 14:40:27

Paru SSL error

#2 2024-03-09 17:19:02

Re: Paru SSL error

#3 2024-03-23 13:32:24

Re: Paru SSL error

#4 2024-03-23 14:21:26

Re: Paru SSL error

#5 2024-03-24 11:36:27

Re: Paru SSL error

#6 2024-03-24 13:46:18

Re: Paru SSL error

#7 2024-03-24 14:04:12

Re: Paru SSL error

#8 2024-03-25 10:00:53

Re: Paru SSL error

#9 2024-03-25 11:44:47

Re: Paru SSL error

#10 2024-03-25 13:04:26

Re: Paru SSL error

#11 2024-03-25 14:58:34

Re: Paru SSL error

#12 2024-03-30 20:08:44

Re: Paru SSL error

#13 2024-03-30 23:36:27

Re: Paru SSL error

#14 2024-03-31 10:19:19

Re: Paru SSL error

#15 2024-03-31 14:15:31

Re: Paru SSL error

#16 2024-06-28 12:22:49

Re: Paru SSL error

#17 2024-06-28 13:36:20

Re: Paru SSL error

#18 2024-06-28 16:01:04

Re: Paru SSL error

#19 2024-06-28 17:52:13

Re: Paru SSL error

#20 2024-07-16 13:01:32

Re: Paru SSL error

#21 2024-10-11 07:14:17

Re: Paru SSL error

#22 2024-10-11 07:55:09

Re: Paru SSL error

Board footer