New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to fetch areas due to SSL problem #19
Comments
This has sadly nothing to do with OpenSSL, this part uses libsoup, which uses the system crypto libraries. However, it works for me, which could be that I manually installed the proper certificate in the correct system location. |
Thanks for responding. I did a quick test with the system crypto (cmcli), and (surprised!), it verified the certs correctly:
However, running
I am not sure what other debug/troubleshooting steps I could do. If you can suggest something, I am willing to test |
Ah, sorry. So you can do the area selection correctly, but not the actual data download. The former is indeed using the system crypto, the latter is curl/OpenSSL. I think that is what is missing: Nokia-N900:/home/user# ls -l /etc/ssl/certs/
lrwxrwxrwx 1 root root 7 May 17 2017 2e5ac55d.0 -> dst.pem
-rw-r--r-- 1 root root 1200 May 17 2017 dst.pem This is the Let's Encrypt X3 certificate. |
Thanks! Steps (for those of us with the problem):
Now However, osm2go still shows the same error |
Tested with curl, and got the same SSL problem:
So probably curl/libcurl needs to be recompiled against the newer openssl? Which version do you have @DerDakon ? |
Tried to specify
So it seems recompiling isn't really necessary, but i cannot understand why More importantly, what is a way to fix this? |
The curl on N900 is still the old version. OSM2go is linked statically against a version of curl that uses OpenSSL 1.*. I'll look into this later. |
Ok, it looks like /etc/ssl is a dead end, sorry for that. I just downloaded an area on my N900 and that is what it looks at: 6085 open("/etc/certs/common-ca/2e5ac55d.0", O_RDONLY|O_LARGEFILE) = 16 Just a bit of background: the new OpenSSL library has different soversion than the system one, so it can be installed in parallel. The current curl still has the same soversion as the system one, so I can upgrade it, but only use the system OpenSSL. If the curl library would suddenly use a different OpenSSL than it could break other binaries that link to curl and openssl, as they would suddenly get duplicate symbols. That's why I have a static curl for OSM2go, which then uses the additional (new) OpenSSL. |
And the secret is: curl. My curl is built with: LDFLAGS=-L/opt/openssl-1.0.2k/lib ./configure --disable-shared --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-sspi --with-ssl=/opt/openssl-1.0.2k/ --without-libssh2 --prefix=/opt/curl-7.54.1 --with-ca-path=/etc/certs/ca-common/ && make -j 10 So, it uses the system default certificate location. The one of OpenSSL itself is different, that is why OpenSSL alone does not work, but OSM2go should. |
I moved the certificate created in the earlier post to On a side note, I wonder if osm2go shouldn't either:
I suggest this since it would help other new osm2go users |
I think I had this somewhere built as deb, I just have to find it again. Or do it again. |
Thanks. |
I'm having the same issue, on a fresh install, and what I miss is instructions. can they be distilled from this conversation, and put in the front page? |
Try to get the certificates in the extra-ca-certificates package from here: https://github.com/osm2go/openssl/releases/tag/OpenSSL-1.0.2u-1%2Bmaemo1%2B0osm2go0 |
Hi,
I am unable to fetch maps/areas using osm2go. The program fails with "Download failed with message 'SSL certificate problem: unable to get local issuer certificate'".
However, I have the latest openssl/libssl as published at https://github.com/osm2go/openssl/releases
The text was updated successfully, but these errors were encountered: