Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS Certificates removed with version 20010 #3

Closed
nottux opened this issue Dec 31, 2017 · 17 comments
Closed

SSL/TLS Certificates removed with version 20010 #3

nottux opened this issue Dec 31, 2017 · 17 comments

Comments

@nottux
Copy link

nottux commented Dec 31, 2017 

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ ls -l /etc/ssl/certs
lrwxrwxrwx 1 root root 32 Oct 31 21:06 /etc/ssl/certs -> ../../var/cache/ca-certs/anchors
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ ls -l /var/cache/ca-certs/anchors
total 0
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ uname -a
Linux clr-449e9b2a44f8458bb4885604dc172a1c 4.14.7-497.native #2 SMP Mon Dec 18 12:51:57 UTC 2017 x86_64 GNU/Linux
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo flatpak install --from https://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref
Password: 
error: Can't load uri https://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref: Unacceptable TLS certificate
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo flatpak install --from http://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref
error: Can't load uri http://flathub.org/repo/appstream/io.thp.numptyphysics.flatpakref: Unacceptable TLS certificate

flatpak and git is unusable becouse of missing certificates, web browser works, i am not tried to remove or reinstall the certificates
@nottux
Copy link
Author

nottux commented Dec 31, 2017

fixed with downloading http://curl.haxx.se/ca/cacert.pem and coping the cacert.pem as ca-bundle.crt to /var/cache/ca-certs/anchors and /etc/pki/tls/certs
after that /var/cache/ca-certs/anchors/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.crt files should exist. that fixed my problem

@nottux nottux closed this as completed Dec 31, 2017
@nottux
Copy link
Author

nottux commented Jan 1, 2018

I should reopen this issue since i closed by accident

@nottux nottux reopened this Jan 1, 2018
@busykai
Copy link

busykai commented Jan 1, 2018

@tuxutku, could you please try and re-run sudo clrtrust generate.

@nottux
Copy link
Author

nottux commented Jan 2, 2018 

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo clrtrust generate
Password: 
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/LuxTrust_Global_Root_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_RSA_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Cybertrust_Global_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Network_Solutions_Certificate_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Premium.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/EC-ACC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_2_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_Class_3_CA_2_EV_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Universal_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_1_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certum_Trusted_Network_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Class_2_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/USERTrust_ECC_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Microsec_e-Szigno_Root_CA_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/USERTrust_RSA_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_Class_3_CA_2_2009.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certigna.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TWCA_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ACCVRAIZ1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_ECC_Root_CA_-_R4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CFCA_EV_ROOT.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TWCA_Global_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_Root_Certification_Authority_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/certSIGN_ROOT_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority_-_EC1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Visa_eCommerce_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Go_Daddy_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ComSign_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SZAFIR_ROOT_CA2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA_-_R3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_RootCert_CA-1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Deutsche_Telekom_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/T-TeleSec_GlobalRoot_Class_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Camerfirma_Global_Chambersign_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_ECA-1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Premium_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_EV_Root_Certification_Authority_ECC.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Gold_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certum_Trusted_Network_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_High_Assurance_EV_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AC_RAIZ_FNMT-RCM.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Taiwan_GRCA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/E-Tugra_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Comodo_AAA_Services_root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Actalis_Authentication_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Root_CA_G1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Chambers_of_Commerce_Root_-_2008.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ePKI_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_3_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TC_TrustCenter_Class_3_CA_II.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Assured_ID_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Commercial.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/XRamp_Global_CA_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Secure_Global_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Sonera_Class_2_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OpenTrust_Root_CA_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AC_Raíz_Certicámara_S.A..crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TrustCor_RootCert_CA-2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DST_ACES_CA_X6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Trustis_FPS_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Universal_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/EE_Certification_Centre_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/TeliaSonera_Root_CA_v1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Root_CA_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SSL.com_Root_Certification_Authority_RSA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Buypass_Class_2_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Hongkong_Post_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/IdenTrust_Public_Sector_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SecureTrust_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Atos_TrustedRoot_2011.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Global_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/S-TRUST_Universal_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Starfield_Services_Root_Certificate_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/T-TeleSec_GlobalRoot_Class_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/D-TRUST_Root_CA_3_2013.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AddTrust_External_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GeoTrust_Universal_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DST_Root_CA_X3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Camerfirma_Chambers_of_Commerce_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CA_Disig_Root_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Go_Daddy_Class_2_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Amazon_Root_CA_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Izenpe.com.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/IdenTrust_Commercial_Root_CA_1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/ISRG_Root_X1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/OISTE_WISeKey_Global_Root_GB_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AddTrust_Low-Value_Services_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Silver_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Global_Chambersign_Root_-_2008.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Staat_der_Nederlanden_EV_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/CA_Disig_Root_R1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust.net_Premium_2048_Secure_Server_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Swisscom_Root_CA_2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Trusted_Root_G4.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/QuoVadis_Root_CA_3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_ECC_Root_CA_-_R5.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Buypass_Class_3_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/thawte_Primary_Root_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SwissSign_Platinum_CA_-_G2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_RootCA2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Entrust_Root_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Baltimore_CyberTrust_Root.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/SecureSign_RootCA11.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/UTN_USERFirst_Email_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certinomis_-_Root_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Security_Communication_EV_RootCA1.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GlobalSign_Root_CA_-_R2.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/Certplus_Class_2_Primary_CA.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/DigiCert_Global_Root_G3.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/GDCA_TrustAUTH_R5_ROOT.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/COMODO_ECC_Certification_Authority.crt is not a certificate
WARNING: file /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt is not a certificate
Trust store generated at /var/cache/ca-certs
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone --recursive https://github.com/gpac/gpac.git
Cloning into 'gpac'...
fatal: unable to access 'https://github.com/gpac/gpac.git/': SSL certificate problem: unable to get local issuer certificate

still can't use git but can use flatpak, need to mention that i could run flatpak after manually downloading ca-bundle.crt

@busykai
Copy link

busykai commented Jan 2, 2018
edited
Loading

@tuxutku, could you post the content of any of the *.crt file here? the error means that running openssl x509 fails on the certificates installed in /usr/share/ca-certs/trusted. i cannot reproduce this on my system.

after you do, please try running sudo swupd verify --fix (it should fix any deviations in your /usr/ tree) and then try generating the trust store again with sudo clrtrust generate.

@busykai busykai mentioned this issue Jan 2, 2018
Open
@nottux
Copy link
Author

nottux commented Jan 2, 2018

i can't run 

sudo swupd verify --fix

since i have manualy removed qt5 and other programs because of incompatible binaries, it will take my days to reinstall then remove these, and i will lose lots of my free time, i will try to find another way to fix this

@nottux nottux closed this as completed Jan 2, 2018
@bryteise
Copy link
Member

bryteise commented Jan 2, 2018
edited
Loading

@tuxutku So this is a little odd to do but you can try running:
swupd verify --install -p /path/to/tmp/root -m $your-clear-linux-version && swupd bundle-add -p /path/to/tmp/root network-basic
Which will give you the certs in /path/to/tmp/root/usr/share/ca-certs/trusted that you could then compare to your system (and copy over/replace as needed).

@busykai
Copy link

busykai commented Jan 2, 2018

@tuxutku, we cannot reproduce the issue, so without your help it's hard to get to the root cause of this. it sounds like you manually modified files in /usr, i'm wondering if you could run:

openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1

to see if openssl on your system is still functional. if it's not, then that is the issue.

you can also use pre-built store, to do that: sudo rm -rf /var/cache/ca-certs; mv /usr/share/ca-certs/.prebuilt-store /var/cache/ca-certs. this will resolve your connectivity issues for now (unless the installed certificates are really broken).

@nottux
Copy link
Author

nottux commented Jan 3, 2018

when i was building another program it required openssl bu it wasn't installed, so i installed opessl to /usr/local. installation of openssl or update and reboot after that broke it.

when i will go to home i will look to this but now i am not at my home, after 6 to 10 hours i can be at my home

@nottux nottux reopened this Jan 3, 2018
@nottux
Copy link
Author

nottux commented Jan 3, 2018 

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1
SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ ls -l /usr/share/ca-certs/trusted
total 616
-rw-r--r-- 2 root root 2772 Jan 13  2017  ACCVRAIZ1.crt
-rw-r--r-- 2 root root 2281 Jan 13  2017  AC_Raíz_Certicámara_S.A..crt
-rw-r--r-- 1 root root 1972 Jan 13  2017  AC_RAIZ_FNMT-RCM.crt
-rw-r--r-- 2 root root 2049 Jan 13  2017  Actalis_Authentication_Root_CA.crt
-rw-r--r-- 2 root root 1521 Sep 14 19:49  AddTrust_External_Root.crt
-rw-r--r-- 2 root root 1480 Jan 13  2017  AddTrust_Low-Value_Services_Root.crt
-rw-r--r-- 2 root root 1204 Jan 13  2017  AffirmTrust_Commercial.crt
-rw-r--r-- 2 root root 1204 Jan 13  2017  AffirmTrust_Networking.crt
-rw-r--r-- 2 root root 1891 Jan 13  2017  AffirmTrust_Premium.crt
-rw-r--r-- 2 root root  753 Jan 13  2017  AffirmTrust_Premium_ECC.crt
-rw-r--r-- 1 root root 1188 Jan 13  2017  Amazon_Root_CA_1.crt
-rw-r--r-- 1 root root 1883 Jan 13  2017  Amazon_Root_CA_2.crt
-rw-r--r-- 1 root root  656 Jan 13  2017  Amazon_Root_CA_3.crt
-rw-r--r-- 1 root root  737 Jan 13  2017  Amazon_Root_CA_4.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Atos_TrustedRoot_2011.crt
-rw-r--r-- 2 root root 2167 Jan 13  2017  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Baltimore_CyberTrust_Root.crt
-rw-r--r-- 2 root root 1915 Jan 13  2017  Buypass_Class_2_Root_CA.crt
-rw-r--r-- 2 root root 1915 Jan 13  2017  Buypass_Class_3_Root_CA.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  CA_Disig_Root_R1.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  CA_Disig_Root_R2.crt
-rw-r--r-- 2 root root 1704 Jan 13  2017  Camerfirma_Chambers_of_Commerce_Root.crt
-rw-r--r-- 2 root root 1716 Jan 13  2017  Camerfirma_Global_Chambersign_Root.crt
-rw-r--r-- 2 root root 1330 Jan 13  2017  Certigna.crt
-rw-r--r-- 2 root root 1992 Jan 13  2017  Certinomis_-_Root_CA.crt
-rw-r--r-- 2 root root 1298 Jan 13  2017  Certplus_Class_2_Primary_CA.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  Certplus_Root_CA_G1.crt
-rw-r--r-- 2 root root  794 Jan 13  2017  Certplus_Root_CA_G2.crt
-rw-r--r-- 2 root root 1176 Jan 13  2017  certSIGN_ROOT_CA.crt
-rw-r--r-- 2 root root 1119 Jan 13  2017  Certum_Root_CA.crt
-rw-r--r-- 2 root root 2078 Jan 13  2017  Certum_Trusted_Network_CA_2.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  Certum_Trusted_Network_CA.crt
-rw-r--r-- 2 root root 1984 Jan 13  2017  CFCA_EV_ROOT.crt
-rw-r--r-- 2 root root 2594 Jan 13  2017  Chambers_of_Commerce_Root_-_2008.crt
-rw-r--r-- 2 root root 1517 Jan 13  2017  Comodo_AAA_Services_root.crt
-rw-r--r-- 2 root root 1489 Jan 13  2017  COMODO_Certification_Authority.crt
-rw-r--r-- 2 root root  940 Jan 13  2017  COMODO_ECC_Certification_Authority.crt
-rw-r--r-- 2 root root 2086 Jan 13  2017  COMODO_RSA_Certification_Authority.crt
-rw-r--r-- 2 root root 1302 Jan 13  2017  ComSign_CA.crt
-rw-r--r-- 2 root root 1318 Jan 13  2017  Cybertrust_Global_Root.crt
-rw-r--r-- 2 root root 1318 Jan 13  2017  Deutsche_Telekom_Root_CA_2.crt
-rw-r--r-- 2 root root 1350 Jan 13  2017  DigiCert_Assured_ID_Root_CA.crt
-rw-r--r-- 2 root root 1306 Jan 13  2017  DigiCert_Assured_ID_Root_G2.crt
-rw-r--r-- 2 root root  851 Jan 13  2017  DigiCert_Assured_ID_Root_G3.crt
-rw-r--r-- 2 root root 1338 Jan 13  2017  DigiCert_Global_Root_CA.crt
-rw-r--r-- 2 root root 1294 Jan 13  2017  DigiCert_Global_Root_G2.crt
-rw-r--r-- 2 root root  839 Oct 25 01:59  DigiCert_Global_Root_G3.crt
-rw-r--r-- 2 root root 1367 Sep 14 19:49  DigiCert_High_Assurance_EV_Root_CA.crt
-rw-r--r-- 2 root root 1988 Jan 13  2017  DigiCert_Trusted_Root_G4.crt
-rw-r--r-- 2 root root 1460 Jan 13  2017  DST_ACES_CA_X6.crt
-rw-r--r-- 2 root root 1200 Jan 13  2017  DST_Root_CA_X3.crt
-rw-r--r-- 1 root root 1468 Jan 13  2017  D-TRUST_Root_CA_3_2013.crt
-rw-r--r-- 2 root root 1517 Jan 13  2017  D-TRUST_Root_Class_3_CA_2_2009.crt
-rw-r--r-- 2 root root 1537 Jan 13  2017  D-TRUST_Root_Class_3_CA_2_EV_2009.crt
-rw-r--r-- 2 root root 1911 Jan 13  2017  EC-ACC.crt
-rw-r--r-- 2 root root 1452 Jan 13  2017  EE_Certification_Centre_Root_CA.crt
-rw-r--r-- 2 root root 1505 Jan 13  2017  Entrust.net_Premium_2048_Secure_Server_CA.crt
-rw-r--r-- 2 root root 1643 Jan 13  2017  Entrust_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 1090 Jan 13  2017  Entrust_Root_Certification_Authority_-_EC1.crt
-rw-r--r-- 2 root root 1533 Jan 13  2017  Entrust_Root_Certification_Authority_-_G2.crt
-rw-r--r-- 2 root root 2033 Jan 13  2017  ePKI_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 2244 Jan 13  2017  E-Tugra_Certification_Authority.crt
-rw-r--r-- 1 root root 1980 Jan 13  2017  GDCA_TrustAUTH_R5_ROOT.crt
-rw-r--r-- 2 root root 1216 Jan 13  2017  GeoTrust_Global_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  GeoTrust_Primary_Certification_Authority.crt
-rw-r--r-- 2 root root  989 Jan 13  2017  GeoTrust_Primary_Certification_Authority_-_G2.crt
-rw-r--r-- 2 root root 1444 Jan 13  2017  GeoTrust_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  GeoTrust_Universal_CA_2.crt
-rw-r--r-- 2 root root 1935 Jan 13  2017  GeoTrust_Universal_CA.crt
-rw-r--r-- 2 root root 2585 Jan 13  2017  Global_Chambersign_Root_-_2008.crt
-rw-r--r-- 2 root root  713 Jan 13  2017  GlobalSign_ECC_Root_CA_-_R4.crt
-rw-r--r-- 2 root root  794 Jan 13  2017  GlobalSign_ECC_Root_CA_-_R5.crt
-rw-r--r-- 2 root root 1261 Sep 14 19:49  GlobalSign_Root_CA.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  GlobalSign_Root_CA_-_R2.crt
-rw-r--r-- 2 root root 1229 Jan 13  2017  GlobalSign_Root_CA_-_R3.crt
-rw-r--r-- 2 root root 1448 Jan 13  2017  Go_Daddy_Class_2_CA.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  Go_Daddy_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1017 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
-rw-r--r-- 2 root root 1513 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
-rw-r--r-- 2 root root 2155 Jan 13  2017  Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
-rw-r--r-- 2 root root 1168 Jan 13  2017  Hongkong_Post_Root_CA_1.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  IdenTrust_Commercial_Root_CA_1.crt
-rw-r--r-- 2 root root 1931 Jan 13  2017  IdenTrust_Public_Sector_Root_CA_1.crt
-rw-r--r-- 2 root root 1939 Jan 13  2017  ISRG_Root_X1.crt
-rw-r--r-- 2 root root 2122 Jan 13  2017  Izenpe.com.crt
-rw-r--r-- 1 root root 2057 Jan 13  2017  LuxTrust_Global_Root_2.crt
-rw-r--r-- 2 root root 1460 Jan 13  2017  Microsec_e-Szigno_Root_CA_2009.crt
-rw-r--r-- 2 root root 1476 Jan 13  2017 'NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt'
-rw-r--r-- 2 root root 1411 Jan 13  2017  Network_Solutions_Certificate_Authority.crt
-rw-r--r-- 2 root root 1428 Jan 13  2017  OISTE_WISeKey_Global_Root_GA_CA.crt
-rw-r--r-- 2 root root 1346 Jan 13  2017  OISTE_WISeKey_Global_Root_GB_CA.crt
-rw-r--r-- 2 root root 1944 Jan 13  2017  OpenTrust_Root_CA_G1.crt
-rw-r--r-- 2 root root 1944 Jan 13  2017  OpenTrust_Root_CA_G2.crt
-rw-r--r-- 2 root root  798 Jan 13  2017  OpenTrust_Root_CA_G3.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_1_G3.crt
-rw-r--r-- 2 root root 2041 Jan 13  2017  QuoVadis_Root_CA_2.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_2_G3.crt
-rw-r--r-- 2 root root 2354 Jan 13  2017  QuoVadis_Root_CA_3.crt
-rw-r--r-- 2 root root 1923 Jan 13  2017  QuoVadis_Root_CA_3_G3.crt
-rw-r--r-- 2 root root 2078 Jan 13  2017  QuoVadis_Root_CA.crt
-rw-r--r-- 2 root root 1354 Jan 13  2017  Secure_Global_CA.crt
-rw-r--r-- 2 root root 1249 Jan 13  2017  SecureSign_RootCA11.crt
-rw-r--r-- 2 root root 1350 Jan 13  2017  SecureTrust_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  Security_Communication_EV_RootCA1.crt
-rw-r--r-- 2 root root 1261 Jan 13  2017  Security_Communication_RootCA2.crt
-rw-r--r-- 2 root root 1224 Jan 13  2017  Security_Communication_Root_CA.crt
-rw-r--r-- 2 root root 1143 Jan 13  2017  Sonera_Class_2_Root_CA.crt
-rw-r--r-- 1 root root  956 Jan 13  2017  SSL.com_EV_Root_Certification_Authority_ECC.crt
-rw-r--r-- 1 root root 2114 Jan 13  2017  SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
-rw-r--r-- 1 root root  944 Jan 13  2017  SSL.com_Root_Certification_Authority_ECC.crt
-rw-r--r-- 1 root root 2094 Jan 13  2017  SSL.com_Root_Certification_Authority_RSA.crt
-rw-r--r-- 2 root root 1948 Jan 13  2017  Staat_der_Nederlanden_EV_Root_CA.crt
-rw-r--r-- 2 root root 2069 Jan 13  2017  Staat_der_Nederlanden_Root_CA_-_G2.crt
-rw-r--r-- 2 root root 1952 Jan 13  2017  Staat_der_Nederlanden_Root_CA_-_G3.crt
-rw-r--r-- 2 root root 1468 Jan 13  2017  Starfield_Class_2_CA.crt
-rw-r--r-- 2 root root 1399 Jan 13  2017  Starfield_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1424 Jan 13  2017  Starfield_Services_Root_Certificate_Authority_-_G2.crt
-rw-r--r-- 2 root root 1395 Jan 13  2017  S-TRUST_Universal_Root_CA.crt
-rw-r--r-- 2 root root 2090 Jan 13  2017  Swisscom_Root_CA_2.crt
-rw-r--r-- 2 root root 2045 Jan 13  2017  SwissSign_Gold_CA_-_G2.crt
-rw-r--r-- 2 root root 2057 Jan 13  2017  SwissSign_Platinum_CA_-_G2.crt
-rw-r--r-- 2 root root 2049 Jan 13  2017  SwissSign_Silver_CA_-_G2.crt
-rw-r--r-- 1 root root  981 Jan 13  2017  Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 1 root root 1436 Jan 13  2017  Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt
-rw-r--r-- 1 root root  981 Jan 13  2017  Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 1 root root 1436 Jan 13  2017  Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt
-rw-r--r-- 2 root root 1257 Jan 13  2017  SZAFIR_ROOT_CA2.crt
-rw-r--r-- 2 root root 1948 Jan 13  2017  Taiwan_GRCA.crt
-rw-r--r-- 2 root root 1679 Jan 13  2017  TC_TrustCenter_Class_3_CA_II.crt
-rw-r--r-- 2 root root 1870 Jan 13  2017  TeliaSonera_Root_CA_v1.crt
-rw-r--r-- 2 root root 1493 Jan 13  2017  thawte_Primary_Root_CA.crt
-rw-r--r-- 2 root root  940 Jan 13  2017  thawte_Primary_Root_CA_-_G2.crt
-rw-r--r-- 2 root root 1505 Jan 13  2017  thawte_Primary_Root_CA_-_G3.crt
-rw-r--r-- 1 root root 1493 Jan 13  2017  TrustCor_ECA-1.crt
-rw-r--r-- 1 root root 1513 Jan 13  2017  TrustCor_RootCert_CA-1.crt
-rw-r--r-- 1 root root 2204 Jan 13  2017  TrustCor_RootCert_CA-2.crt
-rw-r--r-- 2 root root 1241 Jan 13  2017  Trustis_FPS_Root_CA.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  T-TeleSec_GlobalRoot_Class_2.crt
-rw-r--r-- 2 root root 1367 Jan 13  2017  T-TeleSec_GlobalRoot_Class_3.crt
-rw-r--r-- 1 root root 1582 Jan 13  2017  TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
-rw-r--r-- 2 root root 1501 Jan 13  2017  TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
-rw-r--r-- 2 root root 1883 Jan 13  2017  TWCA_Global_Root_CA.crt
-rw-r--r-- 2 root root 1269 Jan 13  2017  TWCA_Root_Certification_Authority.crt
-rw-r--r-- 2 root root  948 Jan 13  2017  USERTrust_ECC_Certification_Authority.crt
-rw-r--r-- 2 root root 2094 Jan 13  2017  USERTrust_RSA_Certification_Authority.crt
-rw-r--r-- 2 root root 1667 Jan 13  2017  UTN_USERFirst_Email_Root_CA.crt
-rw-r--r-- 2 root root 1484 Jan 13  2017  Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1480 Jan 13  2017  Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1484 Jan 13  2017  Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
-rw-r--r-- 2 root root 1281 Jan 13  2017  VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-rw-r--r-- 2 root root 1732 Jan 13  2017  VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-rw-r--r-- 2 root root 1700 Jan 13  2017  VeriSign_Universal_Root_Certification_Authority.crt
-rw-r--r-- 2 root root 1322 Jan 13  2017  Visa_eCommerce_Root.crt
-rw-r--r-- 2 root root 1513 Jan 13  2017  XRamp_Global_CA_Root.crt

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
fatal: unable to access 'https://www.github.com/': SSL certificate problem: unable to get local issuer certificate

Then i did run the command you give

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo rm -rf /var/cache/ca-certs; sudo cp -r /usr/share/ca-certs/.prebuilt-store /var/cache/ca-certs

Now github works:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
remote: Not Found
fatal: repository 'https://www.github.com/' not found

Thanks for the help

@nottux nottux closed this as completed Jan 3, 2018
@nottux
Copy link
Author

nottux commented Jan 13, 2018

Issue still there after swupd update, certificates broken again:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo swupd update
swupd-client software update 3.14.3
   Copyright (C) 2012-2017 Intel Corporation

Update started.
Attempting to download version string to memory
Preparing to update from 20310 to 20320
Downloading packs...

Extracting os-core pack for version 20320
	...100%

Statistics for going from version 20310 to version 20320:

    changed bundles   : 1
    new bundles       : 0
    deleted bundles   : 0

    changed files     : 3
    new files         : 0
    deleted files     : 0

Starting download of remaining update content. This may take a while...
	...100%
Finishing download of update content...
Staging file content
Applying update
	...100%
Update was applied.
Calling post-update helper scripts.
Update took 14.8 seconds
Update successful. System updated from version 20310 to version 20320
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo flatpak update
Looking for updates...
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
Warning: Can't find dependencies: Unacceptable TLS certificate
Warning: Problem looking for related refs: Unacceptable TLS certificate
^C
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ git clone https://www.github.com
Cloning into 'www.github.com'...
fatal: unable to access 'https://www.github.com/': SSL certificate problem: unable to get local issuer certificate

I don't know if flatpak or swupd broke but i didn't installed anything or modified files under root directory since 4-5 days before issue started.

@nottux nottux reopened this Jan 13, 2018
@nottux
Copy link
Author

nottux commented Jan 13, 2018

i am not applying the fix right now for possible debugging

@nottux
Copy link
Author

nottux commented Jan 14, 2018

I have applied the fix again now it works again

@busykai
Copy link

busykai commented Jan 15, 2018

@tuxutku, the trust store (the location where the certificates are stored) will be re-generated each time you update. since you installed/removed software from /usr (we highly discourage this practice because of exactly this type of consequences), clrtrust fails to generate the store properly. hence you will loose TLS connectivity after each update, unless you use the workaround i suggested.

i'd be happy to debug and fix the root cause of the issue for you. let me know if you have some time to debug and run some commands which would help to understand what the problem is:

  1. which openssl is used:

command -v openssl

  1. if openssl returns expected exit code:

openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1; echo $?

  1. finally, please run clrtrust in the following fashion:

sudo /usr/bin/bash -x /usr/bin/clrtrust generate >/tmp/clrtrust_out 2>&1

the output will be quite verbose, so please attach resulting file /tmp/clrtrust_out to the post (as opposed to pasting it in).

@nottux
Copy link
Author

nottux commented Jan 16, 2018
edited
Loading

After updates i could find a openssl copy in /usr/bin, so i have removed the /usr/local/bin copy and linked this one on to it:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ command -v openssl
/usr/local/bin/openssl
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo mv /usr/local/bin/openssl /usr/local/bin/openssl.old
Password: 
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo ln -s /usr/bin/openssl /usr/local/bin/openssl

Then i have runned the code:

utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ openssl x509 -in /usr/share/ca-certs/trusted/AffirmTrust_Networking.crt -noout -fingerprint -sha1; echo $?
SHA1 Fingerprint=29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F
0
utku@clr-449e9b2a44f8458bb4885604dc172a1c ~ $ sudo /usr/bin/bash -x /usr/bin/clrtrust generate >/tmp/clrtrust_out 2>&1

clrtrust_out.txt

@nottux
Copy link
Author

nottux commented Jan 16, 2018

I have updated and rebooted but flatpak still works, i am not having this issue anymore

@busykai
Copy link

busykai commented Jan 16, 2018
edited
Loading

Glad it worked. It does seem that your store is being generated properly now. The issue seems to be that under sudo, clrtrust could not find a functional version of openssl. I have filed a couple of issues (clearlinux/clrtrust#10 and clearlinux/clrtrust#11) against clrtrust to handle such situations better. Thank you! Please close the issue if you no longer have it.

@nottux nottux closed this as completed Jan 17, 2018
@rustylynch rustylynch mentioned this issue Apr 10, 2018
Closed
@rustylynch rustylynch mentioned this issue Sep 20, 2018
Closed
@beaverbusy beaverbusy mentioned this issue Oct 8, 2018
Closed
@bktan8 bktan8 mentioned this issue Apr 18, 2019
Open
@smeadows53 smeadows53 mentioned this issue May 14, 2019
Closed
@surface4linux surface4linux mentioned this issue Jun 4, 2019
Open
@jwang11 jwang11 mentioned this issue Aug 2, 2019
Open
@robertaustinbell robertaustinbell mentioned this issue Aug 27, 2019
Open
@thiagomacieira thiagomacieira mentioned this issue Nov 12, 2019
Open
@omkhar omkhar mentioned this issue Dec 26, 2022
Open
@mfdemicco mfdemicco mentioned this issue Apr 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bryteise @busykai @nottux