update failed more than 50 times: SSL Certificate is invalid

[cbrace]

Hello,
A number of the feeds I have subscribed to are now banded in orange and the mouseover displays the error message above. As a result, they are no longer updated. Among the feeds affected are various hosted by Google and owncloud.org itself (see attached screencap). Please let me know what additional information I can supply to help solve this issue.

System Information

• News app version: 8.2.0
• ownCloud version: 9.0.1
• PHP version: 5.6.20
• Database and version: mysql 14.14

[BernhardPosselt]

Well, it's like you said, the ssl cert is invalid which could also mean that your certs are out of date. Nothing I can do here

[BernhardPosselt]

Could also be some sort of MITM.

[BernhardPosselt]

Your distro?

[BernhardPosselt]

Btw, here's the cases when this can happen:

• https://github.com/fguillot/picoFeed/blob/master/lib/PicoFeed/Client/Curl.php#L375
• Curl error 35: CURLE_SSL_CONNECT_ERROR
• Curl error 51: CURLE_PEER_FAILED_VERIFICATION
• Curl error 58: CURLE_SSL_CERTPROBLEM
• Curl error 60: CURLE_SSL_CACERT
• Curl error 59: CURLE_SSL_CIPHER
• Curl error 64: CURLE_USE_SSL_FAILED
• Curl error 66: CURLE_SSL_ENGINE_INITFAILED
• Curl error 77: CURLE_SSL_CACERT_BADFILE
• Curl error 83: CURLE_SSL_ISSUER_ERROR

[cbrace]

My site is hosted on FreeBSD 10.3. No issue with my certs, as far as I know. Check yourself: https://cbrace.nl

[BernhardPosselt]

Here's the explanations: https://curl.haxx.se/libcurl/c/libcurl-errors.html

[BernhardPosselt]

Ok, created a PR to get the curl error code: https://github.com/fguillot/picoFeed/pull/263/files which will let us debug this issue in a better fashion.

[BernhardPosselt]

BTW, my first guess would be that your FreeBSD PHP/openssl package does not support the required SSL ciphers.

[cbrace]

I'm now seeing this:
I add this feed: https://gianalytics.org/xfeed
Immediate error msg:

Just as a test:
$ curl https://gianalytics.org/xfeed/ curl: (77) error setting certificate verify locations: CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none
$ pkg info ca_root_nss ca_root_nss-3.22.2 Name : ca_root_nss Version : 3.22.2 Installed on : Fri Mar 4 18:32:19 2016 CET ...
Does this tell you anything?

[cbrace]

It doesn't seem to a permissions thing:

drwxr-xr-x 2 root wheel 512 Mar 4 18:32 certs

[BernhardPosselt]

Quick google gives me this: http://stackoverflow.com/questions/3160909/how-do-i-deal-with-certificates-using-curl-while-trying-to-access-an-https-url

[BernhardPosselt]

No idea how to solve this on freebsd

[cbrace]

Hold on, I think this IS a permissions thing.

`colin@galatea ~ $ ls -l /usr/local/share/certs/ca-root-nss.crt
-rw------- 1 root wheel 900648 Mar 4 18:32 /usr/local/share/certs/ca-root-nss.crt

colin@galatea ~ $ sudo chmod 644 /usr/local/share/certs/ca-root-nss.crt

colin@galatea ~ $ ls -l /usr/local/share/certs/ca-root-nss.crt

-rw-r--r-- 1 root wheel 900648 Mar 4 18:32 /usr/local/share/certs/ca-root-nss.crt`
And now curl:

`$ curl -l https://gianalytics.org/xfeed/

...
...`

OK, now I can add that feed in News.

Refreshed News. Good, now all the orange bands are gone.

I think this is a packaging error recently introduced in** ports/ca_root_nss** and I will take it up with the FreeBSD ports packager.

Many thanks for your help.

[BernhardPosselt]

Ok, great that this could be fixed :)

[cbrace]

I'm asking about this here: https://forums.freebsd.org/threads/55804/

[cbrace]

Will post a follow up, if possible.