New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Binary Ninja fails to update on Gentoo #672

Closed
gosma opened this Issue Apr 29, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@gosma

gosma commented Apr 29, 2017

As soon as Binary Ninja starts it will fail with Error fetching version list: Peer certificate cannot be authenticated with given CA certificates when trying to fetch updates.

I was able to fix this by enabling the insecure_certs use flag on the ca-certificates package.

# USE="insecure_certs" emerge ca-certificates

Alternatively, copying the ca-bundle.crt file from another Linux distribution over /etc/ssl/certs/ca-certificates.crt also works.

Cheers!

@psifertex

This comment has been minimized.

Show comment
Hide comment
@psifertex

psifertex Apr 29, 2017

Member

Hmm, I wonder why the "insecure_certs" option is required for that package? Supposedly gentoo contains the root cert for let's encrypt which is what we're currently using.

Member

psifertex commented Apr 29, 2017

Hmm, I wonder why the "insecure_certs" option is required for that package? Supposedly gentoo contains the root cert for let's encrypt which is what we're currently using.

@gosma

This comment has been minimized.

Show comment
Hide comment
@gosma

gosma Apr 29, 2017

Here's a trace without insecure_certs:

$ strace -f ./binaryninja 2>&1 | grep cert
[pid 30465] open("/etc/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 30469] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 15
[pid 30469] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 16
[pid 30469] stat("/etc/ssl/certs/ae8153b9.0", 0x7fea137fb6e0) = -1 ENOENT (No such file or directory)
[pid 30469] stat("/etc/ssl/certs/a3e50893.0", 0x7fea137fb6e0) = -1 ENOENT (No such file or directory)
[pid 30475] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 15
[pid 30475] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 16
[pid 30475] stat("/etc/ssl/certs/ae8153b9.0", 0x7fea137fb600) = -1 ENOENT (No such file or directory)
[pid 30475] stat("/etc/ssl/certs/a3e50893.0", 0x7fea137fb600) = -1 ENOENT (No such file or directory)

And here's what appears to be the missing certificate:

$ openssl x509 -in /etc/ssl/certs/ae8153b9.0 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 45 (0x2d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
        Validity
            Not Before: Sep 17 19:46:37 2006 GMT
            Not After : Sep 17 19:46:36 2036 GMT
        Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c1:88:db:09:bc:6c:46:7c:78:9f:95:7b:b5:33:
                    90:f2:72:62:d6:c1:36:20:22:24:5e:ce:e9:77:f2:
                    43:0a:a2:06:64:a4:cc:8e:36:f8:38:e6:23:f0:6e:
                    6d:b1:3c:dd:72:a3:85:1c:a1:d3:3d:b4:33:2b:d3:
                    2f:af:fe:ea:b0:41:59:67:b6:c4:06:7d:0a:9e:74:
                    85:d6:79:4c:80:37:7a:df:39:05:52:59:f7:f4:1b:
                    46:43:a4:d2:85:85:d2:c3:71:f3:75:62:34:ba:2c:
                    8a:7f:1e:8f:ee:ed:34:d0:11:c7:96:cd:52:3d:ba:
                    33:d6:dd:4d:de:0b:3b:4a:4b:9f:c2:26:2f:fa:b5:
                    16:1c:72:35:77:ca:3c:5d:e6:ca:e1:26:8b:1a:36:
                    76:5c:01:db:74:14:25:fe:ed:b5:a0:88:0f:dd:78:
                    ca:2d:1f:07:97:30:01:2d:72:79:fa:46:d6:13:2a:
                    a8:b9:a6:ab:83:49:1d:e5:f2:ef:dd:e4:01:8e:18:
                    0a:8f:63:53:16:85:62:a9:0e:19:3a:cc:b5:66:a6:
                    c2:6b:74:07:e4:2b:e1:76:3e:b4:6d:d8:f6:44:e1:
                    73:62:1f:3b:c4:be:a0:53:56:25:6c:51:09:f7:aa:
                    ab:ca:bf:76:fd:6d:9b:f3:9d:db:bf:3d:66:bc:0c:
                    56:aa:af:98:48:95:3a:4b:df:a7:58:50:d9:38:75:
                    a9:5b:ea:43:0c:02:ff:99:eb:e8:6c:4d:70:5b:29:
                    65:9c:dd:aa:5d:cc:af:01:31:ec:0c:eb:d2:8d:e8:
                    ea:9c:7b:e6:6e:f7:27:66:0c:1a:48:d7:6e:42:e3:
                    3f:de:21:3e:7b:e1:0d:70:fb:63:aa:a8:6c:1a:54:
                    b4:5c:25:7a:c9:a2:c9:8b:16:a6:bb:2c:7e:17:5e:
                    05:4d:58:6e:12:1d:01:ee:12:10:0d:c6:32:7f:18:
                    ff:fc:f4:fa:cd:6e:91:e8:36:49:be:1a:48:69:8b:
                    c2:96:4d:1a:12:b2:69:17:c1:0a:90:d6:fa:79:22:
                    48:bf:ba:7b:69:f8:70:c7:fa:7a:37:d8:d8:0d:d2:
                    76:4f:57:ff:90:b7:e3:91:d2:dd:ef:c2:60:b7:67:
                    3a:dd:fe:aa:9c:f0:d4:8b:7f:72:22:ce:c6:9f:97:
                    b6:f8:af:8a:a0:10:a8:d9:fb:18:c6:b6:b5:5c:52:
                    3c:89:b6:19:2a:73:01:0a:0f:03:b3:12:60:f2:7a:
                    2f:81:db:a3:6e:ff:26:30:97:f5:8b:dd:89:57:b6:
                    ad:3d:b3:af:2b:c5:b7:76:02:f0:a5:d6:2b:9a:86:
                    14:2a:72:f6:e3:33:8c:5d:09:4b:13:df:bb:8c:74:
                    13:52:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
            X509v3 Authority Key Identifier: 
                keyid:4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.23223.1.1.1
                  CPS: http://www.startssl.com/policy.pdf
                  CPS: http://www.startssl.com/intermediate.pdf
                  User Notice:
                    Organization: Start Commercial (StartCom) Ltd.
                    Number: 1
                    Explicit Text: Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf

            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            Netscape Comment: 
                StartCom Free SSL Certification Authority
    Signature Algorithm: sha256WithRSAEncryption
         8e:8f:e7:dc:94:79:7c:f1:85:7f:9f:49:6f:6b:ca:5d:fb:8c:
         fe:04:c5:c1:62:d1:7d:42:8a:bc:53:b7:94:03:66:30:3f:b1:
         e7:0a:a7:50:20:55:25:7f:76:7a:14:0d:eb:04:0e:40:e6:3e:
         d8:88:ab:07:27:83:a9:75:a6:37:73:c7:fd:4b:d2:4d:ad:17:
         40:c8:46:be:3b:7f:51:fc:c3:b6:05:31:dc:cd:85:22:4e:71:
         b7:f2:71:5e:b0:1a:c6:ba:93:8b:78:92:4a:85:f8:78:0f:83:
         fe:2f:ad:2c:f7:e4:a4:bb:2d:d0:e7:0d:3a:b8:3e:ce:f6:78:
         f6:ae:47:24:ca:a3:35:36:ce:c7:c6:87:98:da:ec:fb:e9:b2:
         ce:27:9b:88:c3:04:a1:f6:0b:59:68:af:c9:db:10:0f:4d:f6:
         64:63:5c:a5:12:6f:92:b2:93:94:c7:88:17:0e:93:b6:7e:62:
         8b:90:7f:ab:4e:9f:fc:e3:75:14:4f:2a:32:df:5b:0d:e0:f5:
         7b:93:0d:ab:a1:cf:87:e1:a5:04:45:e8:3c:12:a5:09:c5:b0:
         d1:b7:53:f3:60:14:ba:85:69:6a:21:7c:1f:75:61:17:20:17:
         7b:6c:3b:41:29:5c:e1:ac:5a:d1:cd:8c:9b:eb:60:1d:19:ec:
         f7:e5:b0:da:f9:79:18:a5:45:3f:49:43:57:d2:dd:24:d5:2c:
         a3:fd:91:8d:27:b5:e5:eb:14:06:9a:4c:7b:21:bb:3a:ad:30:
         06:18:c0:d8:c1:6b:2c:7f:59:5c:5d:91:b1:70:22:57:eb:8a:
         6b:48:4a:d5:0f:29:ec:c6:40:c0:2f:88:4c:68:01:17:77:f4:
         24:19:4f:bd:fa:e1:b2:20:21:4b:dd:1a:d8:29:7d:aa:b8:de:
         54:ec:21:55:80:6c:1e:f5:30:c8:a3:10:e5:b2:e6:2a:14:31:
         c3:85:2d:8c:98:b1:86:5a:4f:89:59:2d:b9:c7:f7:1c:c8:8a:
         7f:c0:9d:05:4a:e6:42:4f:62:a3:6d:29:a4:1f:85:ab:db:e5:
         81:c8:ad:2a:3d:4c:5d:5b:84:26:71:c4:85:5e:71:24:ca:a5:
         1b:6c:d8:61:d3:1a:e0:54:db:ce:ba:a9:32:b5:22:f6:73:41:
         09:5d:b8:17:5d:0e:0f:99:90:d6:47:da:6f:0a:3a:62:28:14:
         67:82:d9:f1:d0:80:59:9b:cb:31:d8:9b:0f:8c:77:4e:b5:68:
         8a:f2:6c:f6:24:0e:2d:6c:70:c5:73:d1:de:14:d0:71:8f:b6:
         d3:7b:02:f6:e3:b8:d4:09:6e:6b:9e:75:84:39:e6:7f:25:a5:
         f2:48:00:c0:a4:01:da:3f

gosma commented Apr 29, 2017

Here's a trace without insecure_certs:

$ strace -f ./binaryninja 2>&1 | grep cert
[pid 30465] open("/etc/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 30469] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 15
[pid 30469] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 16
[pid 30469] stat("/etc/ssl/certs/ae8153b9.0", 0x7fea137fb6e0) = -1 ENOENT (No such file or directory)
[pid 30469] stat("/etc/ssl/certs/a3e50893.0", 0x7fea137fb6e0) = -1 ENOENT (No such file or directory)
[pid 30475] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 15
[pid 30475] open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 16
[pid 30475] stat("/etc/ssl/certs/ae8153b9.0", 0x7fea137fb600) = -1 ENOENT (No such file or directory)
[pid 30475] stat("/etc/ssl/certs/a3e50893.0", 0x7fea137fb600) = -1 ENOENT (No such file or directory)

And here's what appears to be the missing certificate:

$ openssl x509 -in /etc/ssl/certs/ae8153b9.0 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 45 (0x2d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
        Validity
            Not Before: Sep 17 19:46:37 2006 GMT
            Not After : Sep 17 19:46:36 2036 GMT
        Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c1:88:db:09:bc:6c:46:7c:78:9f:95:7b:b5:33:
                    90:f2:72:62:d6:c1:36:20:22:24:5e:ce:e9:77:f2:
                    43:0a:a2:06:64:a4:cc:8e:36:f8:38:e6:23:f0:6e:
                    6d:b1:3c:dd:72:a3:85:1c:a1:d3:3d:b4:33:2b:d3:
                    2f:af:fe:ea:b0:41:59:67:b6:c4:06:7d:0a:9e:74:
                    85:d6:79:4c:80:37:7a:df:39:05:52:59:f7:f4:1b:
                    46:43:a4:d2:85:85:d2:c3:71:f3:75:62:34:ba:2c:
                    8a:7f:1e:8f:ee:ed:34:d0:11:c7:96:cd:52:3d:ba:
                    33:d6:dd:4d:de:0b:3b:4a:4b:9f:c2:26:2f:fa:b5:
                    16:1c:72:35:77:ca:3c:5d:e6:ca:e1:26:8b:1a:36:
                    76:5c:01:db:74:14:25:fe:ed:b5:a0:88:0f:dd:78:
                    ca:2d:1f:07:97:30:01:2d:72:79:fa:46:d6:13:2a:
                    a8:b9:a6:ab:83:49:1d:e5:f2:ef:dd:e4:01:8e:18:
                    0a:8f:63:53:16:85:62:a9:0e:19:3a:cc:b5:66:a6:
                    c2:6b:74:07:e4:2b:e1:76:3e:b4:6d:d8:f6:44:e1:
                    73:62:1f:3b:c4:be:a0:53:56:25:6c:51:09:f7:aa:
                    ab:ca:bf:76:fd:6d:9b:f3:9d:db:bf:3d:66:bc:0c:
                    56:aa:af:98:48:95:3a:4b:df:a7:58:50:d9:38:75:
                    a9:5b:ea:43:0c:02:ff:99:eb:e8:6c:4d:70:5b:29:
                    65:9c:dd:aa:5d:cc:af:01:31:ec:0c:eb:d2:8d:e8:
                    ea:9c:7b:e6:6e:f7:27:66:0c:1a:48:d7:6e:42:e3:
                    3f:de:21:3e:7b:e1:0d:70:fb:63:aa:a8:6c:1a:54:
                    b4:5c:25:7a:c9:a2:c9:8b:16:a6:bb:2c:7e:17:5e:
                    05:4d:58:6e:12:1d:01:ee:12:10:0d:c6:32:7f:18:
                    ff:fc:f4:fa:cd:6e:91:e8:36:49:be:1a:48:69:8b:
                    c2:96:4d:1a:12:b2:69:17:c1:0a:90:d6:fa:79:22:
                    48:bf:ba:7b:69:f8:70:c7:fa:7a:37:d8:d8:0d:d2:
                    76:4f:57:ff:90:b7:e3:91:d2:dd:ef:c2:60:b7:67:
                    3a:dd:fe:aa:9c:f0:d4:8b:7f:72:22:ce:c6:9f:97:
                    b6:f8:af:8a:a0:10:a8:d9:fb:18:c6:b6:b5:5c:52:
                    3c:89:b6:19:2a:73:01:0a:0f:03:b3:12:60:f2:7a:
                    2f:81:db:a3:6e:ff:26:30:97:f5:8b:dd:89:57:b6:
                    ad:3d:b3:af:2b:c5:b7:76:02:f0:a5:d6:2b:9a:86:
                    14:2a:72:f6:e3:33:8c:5d:09:4b:13:df:bb:8c:74:
                    13:52:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2
            X509v3 Authority Key Identifier: 
                keyid:4E:0B:EF:1A:A4:40:5B:A5:17:69:87:30:CA:34:68:43:D0:41:AE:F2

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.23223.1.1.1
                  CPS: http://www.startssl.com/policy.pdf
                  CPS: http://www.startssl.com/intermediate.pdf
                  User Notice:
                    Organization: Start Commercial (StartCom) Ltd.
                    Number: 1
                    Explicit Text: Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf

            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            Netscape Comment: 
                StartCom Free SSL Certification Authority
    Signature Algorithm: sha256WithRSAEncryption
         8e:8f:e7:dc:94:79:7c:f1:85:7f:9f:49:6f:6b:ca:5d:fb:8c:
         fe:04:c5:c1:62:d1:7d:42:8a:bc:53:b7:94:03:66:30:3f:b1:
         e7:0a:a7:50:20:55:25:7f:76:7a:14:0d:eb:04:0e:40:e6:3e:
         d8:88:ab:07:27:83:a9:75:a6:37:73:c7:fd:4b:d2:4d:ad:17:
         40:c8:46:be:3b:7f:51:fc:c3:b6:05:31:dc:cd:85:22:4e:71:
         b7:f2:71:5e:b0:1a:c6:ba:93:8b:78:92:4a:85:f8:78:0f:83:
         fe:2f:ad:2c:f7:e4:a4:bb:2d:d0:e7:0d:3a:b8:3e:ce:f6:78:
         f6:ae:47:24:ca:a3:35:36:ce:c7:c6:87:98:da:ec:fb:e9:b2:
         ce:27:9b:88:c3:04:a1:f6:0b:59:68:af:c9:db:10:0f:4d:f6:
         64:63:5c:a5:12:6f:92:b2:93:94:c7:88:17:0e:93:b6:7e:62:
         8b:90:7f:ab:4e:9f:fc:e3:75:14:4f:2a:32:df:5b:0d:e0:f5:
         7b:93:0d:ab:a1:cf:87:e1:a5:04:45:e8:3c:12:a5:09:c5:b0:
         d1:b7:53:f3:60:14:ba:85:69:6a:21:7c:1f:75:61:17:20:17:
         7b:6c:3b:41:29:5c:e1:ac:5a:d1:cd:8c:9b:eb:60:1d:19:ec:
         f7:e5:b0:da:f9:79:18:a5:45:3f:49:43:57:d2:dd:24:d5:2c:
         a3:fd:91:8d:27:b5:e5:eb:14:06:9a:4c:7b:21:bb:3a:ad:30:
         06:18:c0:d8:c1:6b:2c:7f:59:5c:5d:91:b1:70:22:57:eb:8a:
         6b:48:4a:d5:0f:29:ec:c6:40:c0:2f:88:4c:68:01:17:77:f4:
         24:19:4f:bd:fa:e1:b2:20:21:4b:dd:1a:d8:29:7d:aa:b8:de:
         54:ec:21:55:80:6c:1e:f5:30:c8:a3:10:e5:b2:e6:2a:14:31:
         c3:85:2d:8c:98:b1:86:5a:4f:89:59:2d:b9:c7:f7:1c:c8:8a:
         7f:c0:9d:05:4a:e6:42:4f:62:a3:6d:29:a4:1f:85:ab:db:e5:
         81:c8:ad:2a:3d:4c:5d:5b:84:26:71:c4:85:5e:71:24:ca:a5:
         1b:6c:d8:61:d3:1a:e0:54:db:ce:ba:a9:32:b5:22:f6:73:41:
         09:5d:b8:17:5d:0e:0f:99:90:d6:47:da:6f:0a:3a:62:28:14:
         67:82:d9:f1:d0:80:59:9b:cb:31:d8:9b:0f:8c:77:4e:b5:68:
         8a:f2:6c:f6:24:0e:2d:6c:70:c5:73:d1:de:14:d0:71:8f:b6:
         d3:7b:02:f6:e3:b8:d4:09:6e:6b:9e:75:84:39:e6:7f:25:a5:
         f2:48:00:c0:a4:01:da:3f
@psifertex

This comment has been minimized.

Show comment
Hide comment
@psifertex

psifertex Aug 22, 2017

Member

Sorry for not replying earlier, but given that Gentoo is unsupported, I'm going to close this one out, and you've already documented a pretty good work-around which is to copy over /etc/ssl/certs/ca-certificates.crt from another distro. I'll add that to the linux troubleshooting documentation.

Thanks.

Member

psifertex commented Aug 22, 2017

Sorry for not replying earlier, but given that Gentoo is unsupported, I'm going to close this one out, and you've already documented a pretty good work-around which is to copy over /etc/ssl/certs/ca-certificates.crt from another distro. I'll add that to the linux troubleshooting documentation.

Thanks.

@psifertex psifertex closed this Aug 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment