You are not logged in.
hello
when i use paru i have this problem
* i already remove paru and reinstall it with YAY but i have the same error
* i already trusted the certificate (when i curl -v https://aur.archlinux.org/rpc it works well)
Can you help please?
> paru -Ss posh
error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:
thank you
regards,
Ray
Offline
Mod note: moving to AUR Issues
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Online
Nobody can help please?
Offline
i already remove paru and reinstall it with YAY but i have the same error
Did you rebuild it? This used to be a bug in rust/cargo.
And using yay to install paru is like using a scredriver to hammer a screw into your knee.
=> https://wiki.archlinux.org/title/Arch_User_Repository
i already trusted the certificate
What *exactly* does that mean? *You* trusted what certificate?
openssl s_client -showcerts -connect aur.archlinux.org:443
*You* are not supposed to trust anything here yourself!
pacman -Qs ca-cert
Offline
Hello Seth
Thank you for your response
yes i already rebuild it
git clone https://aur.archlinux.org/paru.git
makepkg -si
I have installed paru-bin too, and same error
Here the result of "pacman -Qs ca-cert"
local/ca-certificates 20220905-1
Common CA certificates (default providers)
local/ca-certificates-mozilla 3.99-1
Mozilla's set of trusted CA certificates
local/ca-certificates-utils 20220905-1
Common CA certificates (utilities)
regards,
Last edited by raydenz (2024-03-24 11:41:10)
Offline
Were there any build errors, eg. https://bbs.archlinux.org/viewtopic.php?id=294150 ?
Rust is up-to-date?
pacman -Qs rust
You have not elaborated on
i already trusted the certificate
What exactly did you trust how where and why?
Offline
yes i already rebuild it
git clone https://aur.archlinux.org/paru.git makepkg -si
But those aren't the actual commands you used to do so. Certainly we can fill in the gaps to add what we assume you did - but if we're assuming things anyways, there's no point to actually list any commands. Do not give specific commands used unless they are the ones you actually used as this indicates you're misrepresenting something - and if you're misrepresenting a small thing how do we now there aren't big things that are not as they seem to be?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
hello
@Seth
Rust is up-to-date?
Rust is up-to-date
pacman -Qs rust
local/rust 1:1.77.0-1
Systems programming language focused on safety, speed and concurrency
What exactly did you trust how where and why?
i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.
/etc/ca-certificates/trust-source/anchors/
update-ca-trust
@Trilby
These are exactly the commands i did.
regards
Ray
Offline
so... you did not cd into the paru directory between git clone and makepkg?
Offline
These are exactly the commands i did.
Then you didn't rebuild / re-install paru (or if you did, perhaps you rebuilt a stale clone if by total coincidence you ran those commands from an existing AUR checkout).
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Let's just see what the OP actually did when
pacman -Qi paru
Offline
Let's just see what the OP actually did when
pacman -Qi paru
pacman -Qi paru
Name : paru
Version : 2.0.3-1
Description : Feature packed AUR helper
Architecture : x86_64
URL : https://github.com/morganamilo/paru
Licenses : GPL-3.0-or-later
Groups : None
Provides : None
Depends On : git pacman libalpm.so>=14-64
Optional Deps : bat: colored pkgbuild printing [installed]
devtools: build in chroot and downloading pkgbuilds
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 8,57 MiB
Packager : Unknown Packager
Build Date : dim. 24 mars 2024 12:22:59
Install Date : dim. 24 mars 2024 12:28:56
Install Reason : Explicitly installed
Install Script : No
Validated By : None
regards,
Offline
So it's the current version of paru, built and installed soemwhen around when you posted #5
i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.
What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??
Offline
So it's the current version of paru, built and installed soemwhen around when you posted #5
i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??
- in the browser : https://aur.archlinux.org/
- i export the certificate from google chrome (clik on "certificate is valid" )
- move in /etc/ca-certificates/trust-source/anchors/
- sudo update-ca-trust
But it does not change, i removed it now.
I know i don't need to do that it was just a test. Let's forget this.
Same Error
paru -Ss paru
error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:
you can see "unable to get the issuer certificate" but the issuer is R3, and i already have it.
curl works well (yay works well too)
i am using a corporate proxy but even without proxy i have the same problem. by the way "yay" works well with or without proxy
curl -vvv https://aur.archlinux.org/rpc
* Uses proxy env variable no_proxy == 'xxxxxxxxxxxxxxxxxx'
* Uses proxy env variable https_proxy == 'http://u142158:xxxxxxxx@internetv2.encara.local.ads:8080'
* Host internetv2.encara.local.ads:8080 was resolved.
* IPv6: (none)
* IPv4: 10.38.252.65, 10.38.253.65
* Trying 10.38.252.65:8080...
* Connected to internetv2.encara.local.ads (10.38.252.65) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'u142158'
* Establish HTTP proxy tunnel to aur.archlinux.org:443
> CONNECT aur.archlinux.org:443 HTTP/1.1
> Host: aur.archlinux.org:443
> Proxy-Authorization: Basic dTE0MjE1ODpQYXBhc3NfMjdj
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection Established
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=aur.archlinux.org
* start date: Mar 11 22:47:13 2024 GMT
* expire date: Jun 9 22:47:12 2024 GMT
* subjectAltName: host "aur.archlinux.org" matched cert's "aur.archlinux.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://aur.archlinux.org/rpc
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: aur.archlinux.org]
* [HTTP/2] [1] [:path: /rpc]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /rpc HTTP/2
> Host: aur.archlinux.org
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 302
< server: nginx
< date: Sun, 31 Mar 2024 10:15:08 GMT
< content-type: text/html; charset=utf-8
< content-length: 35
< location: /rpc/swagger
< strict-transport-security: max-age=31536000; includeSubdomains; preload
<
<a href="/rpc/swagger">Found</a>.
* Connection #0 to host internetv2.encara.local.ads left intact
the problem is somwhere else
Last edited by raydenz (2024-03-31 10:33:04)
Offline
I know i don't need to do that it was just a test. Let's forget this.
Yes, I just wanted to make sure you didn't end up adding some bogus certificate to your database.
Wild guess: wht if you disable https://wiki.archlinux.org/title/IPv6#Disable_IPv6 "ipv6.disable=1"?
Offline
Hell @seth
i have the same issue
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
paru -Qu
error: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:
this it completely crazy, i cant figure out why i have this error
Last edited by raydenz (2024-06-28 12:23:38)
Offline
does anyone know which SSL lib paru uses? could be an upstream bug in the used lib
Offline
Upstream bug: https://github.com/Morganamilo/paru/issues/1172
strace -f -o /tmp/paru.strace paru -Qu
Maybe we can see what certificates are read and which are not.
Offline
according to ssllabs.com aur.archlinux.org uses Let's Encrypt as CA - should work on all recent clients
so as it's not an issue with TLS itself it hints to an issue in the crypto lib - but according to aur paru depends on rust which depends on openssl
but as openssl works fine it coukd be that paru is linked against a different lib than what comes default
maybe a network trace with wireshark could reveal where the TLS alert is raised as all up to the final CHANGE_CIPHER_SPEC is just unencrypted meta data
Offline
same error accurred after updates.
solution:
sudo pacman -Syu
sudo pacman-key --updatedb
Last edited by JohnDVD (2024-07-16 13:01:57)
Offline
I updated my package recently and now it works
I don't know why. They have probably fixed somthing in a library or other dependance.. i dont know
my version is
paru --version
paru v2.0.4 - libalpm v15.0.0
Thanks a lot for all poeple who try to help me
I think we can close the issue
Last edited by raydenz (2024-10-11 07:14:52)
Offline
Please mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Offline