You are not logged in.

#1 2024-03-09 14:40:27

raydenz
Member
Registered: 2016-02-28
Posts: 11

Paru SSL error

hello

when i use paru i have this problem
* i already remove paru and reinstall it with YAY but i have the same error
* i already trusted the certificate (when i curl -v https://aur.archlinux.org/rpc it works well)

Can you help please?

> paru -Ss posh

error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

thank you

regards,
Ray

Offline

#2 2024-03-09 17:19:02

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,426
Website

Re: Paru SSL error

Mod note: moving to AUR Issues


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#3 2024-03-23 13:32:24

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

Nobody can help please?

Offline

#4 2024-03-23 14:21:26

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

i already remove paru and reinstall it with YAY but i have the same error

Did you rebuild it? This used to be a bug in rust/cargo.
And using yay to install paru is like using a scredriver to hammer a screw into your knee.
=> https://wiki.archlinux.org/title/Arch_User_Repository

i already trusted the certificate

What *exactly* does that mean? *You* trusted what certificate?

 openssl s_client -showcerts -connect aur.archlinux.org:443

*You* are not  supposed to trust anything here yourself!

pacman -Qs ca-cert

Offline

#5 2024-03-24 11:36:27

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

Hello Seth
Thank you for your response

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

I have installed paru-bin too, and same error

Here the result of "pacman -Qs ca-cert"

local/ca-certificates 20220905-1
    Common CA certificates (default providers)
local/ca-certificates-mozilla 3.99-1
    Mozilla's set of trusted CA certificates
local/ca-certificates-utils 20220905-1
    Common CA certificates (utilities)

regards,

Last edited by raydenz (2024-03-24 11:41:10)

Offline

#6 2024-03-24 13:46:18

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

Were there any build errors, eg. https://bbs.archlinux.org/viewtopic.php?id=294150 ?
Rust is up-to-date?

pacman -Qs rust

You have not elaborated on

i already trusted the certificate

What exactly did you trust how where and why?

Offline

#7 2024-03-24 14:04:12

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Paru SSL error

raydenz wrote:

yes i already rebuild it

git clone https://aur.archlinux.org/paru.git
makepkg -si

But those aren't the actual commands you used to do so.  Certainly we can fill in the gaps to add what we assume you did - but if we're assuming things anyways, there's no point to actually list any commands.  Do not give specific commands used unless they are the ones you actually used as this indicates you're misrepresenting something - and if you're misrepresenting a small thing how do we now there aren't big things that are not as they seem to be?


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#8 2024-03-25 10:00:53

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

hello
@Seth

Rust is up-to-date?

Rust is up-to-date

pacman -Qs rust
local/rust 1:1.77.0-1
    Systems programming language focused on safety, speed and concurrency

What exactly did you trust how where and why?

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

 /etc/ca-certificates/trust-source/anchors/
 update-ca-trust


@Trilby
These are exactly the commands i did.

regards
Ray

Offline

#9 2024-03-25 11:44:47

Funny0facer
Member
From: Germany
Registered: 2022-12-03
Posts: 157

Re: Paru SSL error

so... you did not cd into the paru directory between git clone and makepkg?

Offline

#10 2024-03-25 13:04:26

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: Paru SSL error

raydenz wrote:

These are exactly the commands i did.

Then you didn't rebuild / re-install paru (or if you did, perhaps you rebuilt a stale clone if by total coincidence you ran those commands from an existing AUR checkout).


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#11 2024-03-25 14:58:34

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

Let's just see what the OP actually did when wink

pacman -Qi paru

Offline

#12 2024-03-30 20:08:44

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

seth wrote:

Let's just see what the OP actually did when wink

pacman -Qi paru
pacman -Qi paru
Name            : paru
Version         : 2.0.3-1
Description     : Feature packed AUR helper
Architecture    : x86_64
URL             : https://github.com/morganamilo/paru
Licenses        : GPL-3.0-or-later
Groups          : None
Provides        : None
Depends On      : git  pacman  libalpm.so>=14-64
Optional Deps   : bat: colored pkgbuild printing [installed]
                  devtools: build in chroot and downloading pkgbuilds
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 8,57 MiB
Packager        : Unknown Packager
Build Date      : dim. 24 mars 2024 12:22:59
Install Date    : dim. 24 mars 2024 12:28:56
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : None

regards,

Offline

#13 2024-03-30 23:36:27

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

So it's the current version of paru, built and installed soemwhen around when you posted #5

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??

Offline

#14 2024-03-31 10:19:19

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

seth wrote:

So it's the current version of paru, built and installed soemwhen around when you posted #5

i get the certificate on my web browser and i put it in the directory below.
But please i don't think it was good to do so.

What certificate specifically? Did you meanwhile remove it?
Why was that "necessary"? Did curl also fail before??


- in the browser : https://aur.archlinux.org/
- i export the certificate from google chrome (clik on "certificate is valid" )
- move in /etc/ca-certificates/trust-source/anchors/
- sudo update-ca-trust

But it does not change, i removed it now.
I know i don't need to do that it was just a test. Let's forget this.

Same Error

paru -Ss paru
error: aur search failed: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL 
routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

you can see "unable to get the issuer certificate" but the issuer is R3, and i already have it.

curl works well (yay works well too)
i am using a corporate proxy but even without proxy i have the same problem. by the way "yay" works well with or without proxy

curl -vvv https://aur.archlinux.org/rpc
* Uses proxy env variable no_proxy == 'xxxxxxxxxxxxxxxxxx'
* Uses proxy env variable https_proxy == 'http://u142158:xxxxxxxx@internetv2.encara.local.ads:8080'
* Host internetv2.encara.local.ads:8080 was resolved.
* IPv6: (none)
* IPv4: 10.38.252.65, 10.38.253.65
*   Trying 10.38.252.65:8080...
* Connected to internetv2.encara.local.ads (10.38.252.65) port 8080
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'u142158'
* Establish HTTP proxy tunnel to aur.archlinux.org:443
> CONNECT aur.archlinux.org:443 HTTP/1.1
> Host: aur.archlinux.org:443
> Proxy-Authorization: Basic dTE0MjE1ODpQYXBhc3NfMjdj
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection Established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=aur.archlinux.org
*  start date: Mar 11 22:47:13 2024 GMT
*  expire date: Jun  9 22:47:12 2024 GMT
*  subjectAltName: host "aur.archlinux.org" matched cert's "aur.archlinux.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://aur.archlinux.org/rpc
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: aur.archlinux.org]
* [HTTP/2] [1] [:path: /rpc]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /rpc HTTP/2
> Host: aur.archlinux.org
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 302 
< server: nginx
< date: Sun, 31 Mar 2024 10:15:08 GMT
< content-type: text/html; charset=utf-8
< content-length: 35
< location: /rpc/swagger
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< 
<a href="/rpc/swagger">Found</a>.

* Connection #0 to host internetv2.encara.local.ads left intact

the problem is somwhere else

Last edited by raydenz (2024-03-31 10:33:04)

Offline

#15 2024-03-31 14:15:31

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

I know i don't need to do that it was just a test. Let's forget this.

Yes, I just wanted to make sure you didn't end up adding some bogus certificate to your database.

Wild guess: wht if you disable https://wiki.archlinux.org/title/IPv6#Disable_IPv6 "ipv6.disable=1"?

Offline

#16 2024-06-28 12:22:49

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

Hell @seth

i have the same issue

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1

paru -Qu

error: error sending request for url (https://aur.archlinux.org/rpc): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (unable to get issuer certificate): error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:

this it completely crazy, i cant figure out why i have this error

Last edited by raydenz (2024-06-28 12:23:38)

Offline

#17 2024-06-28 13:36:20

cryptearth
Member
Registered: 2024-02-03
Posts: 1,015

Re: Paru SSL error

does anyone know which SSL lib paru uses? could be an upstream bug in the used lib

Offline

#18 2024-06-28 16:01:04

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

Upstream bug: https://github.com/Morganamilo/paru/issues/1172

strace -f -o /tmp/paru.strace paru -Qu

Maybe we can see what certificates are read and which are not.

Offline

#19 2024-06-28 17:52:13

cryptearth
Member
Registered: 2024-02-03
Posts: 1,015

Re: Paru SSL error

according to ssllabs.com aur.archlinux.org uses Let's Encrypt as CA - should work on all recent clients
so as it's not an issue with TLS itself it hints to an issue in the crypto lib - but according to aur paru depends on rust which depends on openssl
but as openssl works fine it coukd be that paru is linked against a different lib than what comes default

maybe a network trace with wireshark could reveal where the TLS alert is raised as all up to the final CHANGE_CIPHER_SPEC is just unencrypted meta data

Offline

#20 2024-07-16 13:01:32

JohnDVD
Member
Registered: 2011-11-29
Posts: 40

Re: Paru SSL error

same error accurred after updates.
solution:

sudo pacman -Syu
sudo pacman-key --updatedb

Last edited by JohnDVD (2024-07-16 13:01:57)

Offline

#21 2024-10-11 07:14:17

raydenz
Member
Registered: 2016-02-28
Posts: 11

Re: Paru SSL error

I updated my package recently and now it works
I don't know why. They have probably fixed somthing in a library or other dependance.. i dont know

my version is

paru --version
paru v2.0.4 - libalpm v15.0.0

Thanks a lot for all poeple who try to help me
I think we can close the issue

Last edited by raydenz (2024-10-11 07:14:52)

Offline

#22 2024-10-11 07:55:09

seth
Member
Registered: 2012-09-03
Posts: 59,042

Re: Paru SSL error

Please mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Offline

Board footer

Powered by FluxBB