i have a Linux system where dnf packet manager is installed but no package sources are enabled.
So i created a directory "/etc/yum.repos.d" in this directory i have the files fedora.repo, fedora-updates.repo and fedora-updates-testing.repo.
However whenever i try to do dnf -update -v i get the following error message:
DNF version: 1.1.9 Cannot download 'https://packages.grafana.com/oss/rpm': Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://packages.grafana.com/oss/rpm/repodata/repomd.xml [error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none]. Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=i386': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=i386 [SSL certificate problem: unable to get local issuer certificate]. Fehler: Failed to synchronize cache for repo 'updates'
I think the error is due to the non existant gpgkey-files. In the .repo file there is the following line: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-releasever-$basearch
But this directory doesn't exist in my system.
So my question is, where or how do I get those gpgkey-files?
Related
For reference, my MacBook Air is running version 10.14.1.
I've tried to download ghcup by running this command in the terminal:
curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh
However, when I run this command, I recveieve the following error:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Could this error be caused by my MacBook running an old version?
I'm new to Linux, just installed Lubuntu and faced the problem -
when i'm trying to clone my remote work repo from my company's git:
$ sudo git clone https://path/to/repo.git
I keep on receiving error:
Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none
I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.
This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.
Update list of public CA
The first thing I would recommend is to simply update the list of root CA known to the system as show below.
# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates
This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.
Fetch certificates, direct connection
The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.
Fetch certificates, web proxy
If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.
# install socat
sudo apt-get install socat -y
# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
Add certificate to local certificate list
Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate.
The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.
** Adding globally **
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
** Adding for single user **
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig
[http "https://git.mycompany.com/"]
sslCAInfo = /home/user/git-mycompany-com.pem
Avoid workarounds
Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.
git config --global http.sslverify false
export GIT_SSL_NO_VERIFY=true
I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:
#!/usr/bin/bash
# I exported the Zscaler certifcate out of Microsoft Cert Manager. It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.
# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt
# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates
# Inform Ubuntu of new cert.
sudo update-ca-certificates
Given a simple Dockerfile that installs from something from the net, I'm trying to work out an elegant way to allow the build process to trust HTTPS endpoints when the build is both behind a corporate proxy and when it is not. Ideally without making changes to the Dockerfile.
Dockerfile:
FROM alpine
RUN apk update -v; apk add -v curl
Error:
$ docker build .
Sending build context to Docker daemon 83.97kB
Step 1/2 : FROM alpine
---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
curl (no such package):
required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1
The issue here is that my developer machine is on the corporate network behind a traffic-intercepting proxy that man-in-the-middles the connection meaning from apk's point of view inside the Docker build, it is seeing a cert which has been signed by our proxy that it doesn't trust.
Trust from the host machine is not an issue - when I wget the file requested in the build it works:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’
When I run it on the build server it passes fine cause no forward proxy.
Is there a way to pass in the Ubuntu trust bundle which has the proxy CA's (e.g. /etc/ssl/certs/ca-certificates) to the build process without modifying the Dockerfile?
Thanks!
Create a file named repositories in your local docker build context directory with the following content:
http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community
In your docker build file, before RUN apk update, add the following line:
COPY repositories /etc/apk/repositories
FROM abdennour/alpine:3.14-ssl
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
EXPLAINED!
Request the CA certificate from the team who purchased the SSL Certificates.
Tell them provide me the certificate file "*.der"
Got it ? convert it to .cert file
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
But this requires to have openssl ca-certificates packages in the image.
And because you can't install anything, then you can rely on alpine image which includes at least these two packages, like my base image:
FROM abdennour/alpine:3.14-ssl
I get this error on a fresh install of gitlab. The message looks like:
fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx#gitlab.example.com/something.git/': Peer's
Certificate issuer is not recognized.ERROR: Job
failed: exit status 1
Any suggestions on how to fix it?
Had faced the same problem after enabling verbose mode by following command
export GIT_CURL_VERBOSE=1 and found the following issue:
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Found this following site helpful,But its good when you have entire control for
the proxy server as well to enter the certificates.
http://dropbit.com/?p=168
I instead ran following command to bypass ssl verification by porxy server and it worked
git config --global http.sslVerify "false"
You need to configure /etc/gitlab/gitlab.rb.
Change this line
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"
to
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"
(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)
then restart gitlab and you're done:
$ gitlab-ctl reconfigure
Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.
I am trying to find out why my HTTPS link is not working for my website:
So I ran this command to try:
curl https://localhost/
I am using a valid signed SSL certificate and my HTTP link is working fine. I am using a Multi Domain certificate that was exported from an IIS 6 server. My instance on AWS has the 443 port enabled.
Here is a picture of my CA certificates:
I have tried to change the http.conf file's Virtual Host following the instructions in here: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Is there any suggestions on how to get my website properly working on a HTTPS protocol?
Let me know if you need anymore information.
Thanks,
If you're not sure of the certificate that your web server is serving, you can use this command to view the certificate:
openssl s_client -showcerts -connect hostname.domain.tld:443
Also, the hostname in the certificate must match the site that you are requesting. For example, if you request a page from localhost, but your certificate is for www.yourdomain.com, the certificate check will fail.
This means that you are using a self-signed certificate.
In order for this warning not to appear, you need to purchase a certificate from a Certificate Authority.
If you are using Self Signed SSL certificate then you faced this issue.
For this you can use curl command with -k option.
curl -k https://yourdomain.com/
And if you are trying with Postman that time disable the SSL Certificate option in setting.
I got a same error but not similar to your, but summary here hope useful for others:
OS: CentOS 7
Run Python's pyspider error:
File "/usr/local/lib64/python3.6/site-packages/tornado/concurrent.py", line 238, in result
raise_exc_info(self._exc_info)
File "", line 4, in raise_exc_info
Exception: HTTP 599: Peer's certificate issuer has been marked as not trusted by the user.
root cause and steps to fix:
previously existed a soft link:
/usr/lib64/libcurl.so.4 -> /usr/lib64/libcurl.so.4.3.0_openssl
which is invalid one, so changed to valid:
/usr/lib64/libcurl.so.4 -> /usr/lib64/libcurl.so.4.3.0
while two file is:
-rwxr-xr-x 1 root root 435192 Nov 5 2018 /usr/lib64/libcurl.so.4.3.0
-rwxr-xr-x 1 root root 399304 May 10 09:20 /usr/lib64/libcurl.so.4.3.0_openssl
then for pyspider reinstall pycurl:
pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir
in which PYCURL_SSL_LIBRARY is nss, due to current curl backend is nss according to
# curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
...
can fix my problem.