• Invalid Certificates even after manual ca-certificates-utils upgrade


    I’m aware of the recent manual intervention needed to upgrade ca-certificates-utils.
    https://forum.antergos.com/topic/6337/ca-certificates-utils-20170307-1-upgrade-requires-manual-intervention

    $ pacman -Q ca-certificates-utils
    ca-certificates-utils 20170307-1
    

    I did the manual work around at the time, and all of my normal HTTPS sites are working fine (google, banking, persona sites, etc.). However this morning, I was reading some reviews on VPN providers and I noticed when I try to go to there web sites, all of them are reporting invalid certificate authority. This happens in Chrome and Firefox.

    I reinstalled the package, seems to be go fine, still have same problem with bad certificate authorities.

    $ sudo pacman -S ca-certificates-utils
    warning: ca-certificates-utils-20170307-1 is up to date -- reinstalling
    resolving dependencies...
    looking for conflicting packages...
    
    Packages (1) ca-certificates-utils-20170307-1
    
    Total Installed Size:  0.01 MiB
    Net Upgrade Size:      0.00 MiB
    
    :: Proceed with installation? [Y/n] 
    (1/1) checking keys in keyring                                                  [#############################################] 100%
    (1/1) checking package integrity                                                [#############################################] 100%
    (1/1) loading package files                                                     [#############################################] 100%
    (1/1) checking for file conflicts                                               [#############################################] 100%
    (1/1) checking available disk space                                             [#############################################] 100%
    :: Processing package changes...
    (1/1) reinstalling ca-certificates-utils                                        [#############################################] 100%
    :: Running post-transaction hooks...
    (1/2) Arming ConditionNeedsUpdate...
    (2/2) Rebuilding certificate stores...
    

    Here are some examples of what I’m getting:
    0_1491755275142_vpn01.png

    0_1491755290582_vpn02.png

    Any suggestions?

  • $ sudo pacman -Syyu --force
    

    Mis respetos.-

  • @judd - why force something that installed and reinstalled cleanly?

  • @reefland said in Invalid Certificates even after manual ca-certificates-utils upgrade:

    @judd - why force something that installed and reinstalled cleanly?

    https://forum.antergos.com/topic/6337/ca-certificates-utils-20170307-1-upgrade-requires-manual-intervention/3

    Source: @just
    "The command will simply overwrite existing /etc/ssl/certs/ca-certificates.crt with the new one during upgrade"

    Mis respetos.-

  • @judd - What you provided doesn’t do anything for a package that is already installed. I agree that would help with a package that is not installing, but as I shown above the package installed fine.

    $  sudo pacman -Syyu --force
    :: Synchronizing package databases...
     antergos                                              144.5 KiB  47.0M/s 00:00 [#############################################] 100%
     core                                                  124.3 KiB   702K/s 00:00 [#############################################] 100%
     extra                                                1680.3 KiB   715K/s 00:02 [#############################################] 100%
     community                                               3.8 MiB   632K/s 00:06 [#############################################] 100%
     multilib                                              176.2 KiB   827K/s 00:00 [#############################################] 100%
    :: Starting full system upgrade...
     there is nothing to do
    
  • BTW - for kicks I even tried:

    $  sudo pacman -S ca-certificates --force
    warning: ca-certificates-20170307-1 is up to date -- reinstalling
    resolving dependencies...
    looking for conflicting packages...
    
    Packages (1) ca-certificates-20170307-1
    
    Total Installed Size:  0.00 MiB
    Net Upgrade Size:      0.00 MiB
    
    :: Proceed with installation? [Y/n] 
    (1/1) checking keys in keyring                                                  [#############################################] 100%
    (1/1) checking package integrity                                                [#############################################] 100%
    (1/1) loading package files                                                     [#############################################] 100%
    (1/1) checking for file conflicts                                               [#############################################] 100%
    (1/1) checking available disk space                                             [#############################################] 100%
    :: Processing package changes...
    (1/1) reinstalling ca-certificates                                              [#############################################] 100%
    

    Same message when visiting the sites. Here are the PEM files.

    $ ls -l /etc/ssl/certs/ca-certificates.crt 
    lrwxrwxrwx 1 root root 49 Mar  7 16:05 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem
    $ ls -l /etc/ca-certificates/extracted/tls-ca-bundle.pem 
    -r--r--r-- 1 root root 262609 Apr  9 12:06 /etc/ca-certificates/extracted/tls-ca-bundle.pem
    
  • Ehm… @reefland’s problem is of another type, it’s different from the old issue with duplicated certificates. @reefland already has the most recent certificates installed, there’s no need to --force anything, and doing it, as expected, changes nothing.

    The sudo pacman -Syyu --force is useless in this case.

  • @just what about pacman -Syyuu --force? Doesn’t it force the package to be upgraded? (newbie here)

    mine
    ls -l /etc/ca-certificates/extracted/tls-ca-bundle.pem is
    -r--r--r-- 1 root root 262609 mar 19 16:42 /etc/ca-certificates/extracted/tls-ca-bundle.pem
    OBS: I’m updating once a weak.

    Antergos (default OS) - WIN10 (abandoned)
    I3wm - Mate desktop
    AMD - A4 7300 Radeon graphics
    16 GB ram
    HD 1 TB
    Linux newbie since 06/2016

  • @fernandomaroto said in Invalid Certificates even after manual ca-certificates-utils upgrade:

    @just what about pacman -Syyuu --force? Doesn’t it force the package to be upgraded? (newbie here)

    No, it doesn’t. @reefland already has the recent certificates package installed, so pacman won’t upgrade it. What the command you propose does? :

    • -Syy unconditionally updates (forces) local databases with remote repos content. It never hurts, generally useful, but may be time or bandwidth consumiong

    • -Suu upgardes local pkgs, if there’s anything to upgrade, and downgradeslocal pkgs, if there’s anything to downgrade; downgrade may be a risky operation, generally not needed, it’s better to avoid it

    • –force when pacman wants to install a file which already exists in file system - which is an error, it should never happen under normal circumstances - the –force switch allows pacman to overwrite existing file with the new one and proceed without returning the error message

    Nothing of these has a relation to @reefland’s problem. We’re going away from the topic.

    mine
    ls -l /etc/ca-certificates/extracted/tls-ca-bundle.pem is
    -r--r--r-- 1 root root 262609 mar 19 16:42 /etc/ca-certificates/extracted/tls-ca-bundle.pem
    OBS: I’m updating once a weak.

    Back on topic. I have exactly the same certs pkg as @reefland installed:

    ┌──[just]@[alexatm]:~$
    └─> pacman -Qii ca-certificates
    Name            : ca-certificates
    Version         : 20170307-1
    Description     : Common CA certificates (default providers)
    Architecture    : any
    URL             : http://pkgs.fedoraproject.org/cgit/rpms/ca-certificates.git
    Licenses        : GPL2
    Groups          : None
    Provides        : None
    Depends On      : ca-certificates-mozilla  ca-certificates-cacert
    Optional Deps   : None
    Required By     : curl  glib-networking  neon
    Optional For    : lib32-openssl  libpurple  openssl  wget
    Conflicts With  : None
    Replaces        : None
    Installed Size  : 1024.00 B
    Packager        : Jan Alexander Steffens (heftig) <[email protected]>
    Build Date      : Wed 08 Mar 2017 00:05:55 MSK
    Install Date    : Fri 17 Mar 2017 22:20:57 MSK
    Install Reason  : Installed as a dependency for another package
    Install Script  : No
    Validated By    : SHA-256 Sum
    Backup Files    :
    (none)
    
    ┌──[just]@[alexatm]:~$
    └─>
    

    And I can access both sites from @reefland screenshots without a problem, from both Chromium and Firefox:

    The problem lies somewhere else. I don’t know where.

  • @just – I dug a little deeper and learned something new… but confuses me even more. I use OpenDNS. If I switch back to Google DNS (8.8.8.8) this issue goes away all the certificates work fine. As soon as I enable OpenDNS again, all these issues come back.

    If OpenDNS was blocking a domain, I would expect the standard OpenDNS page redirection of a site being blocked by policy xxxxx. I would not expect to see an invalid certificate authority message by the browser.

    I’m puzzled what to do next, usually OpenDNS and VPN’s are a good combination.

  • I found this OpenDNS article…
    https://support.opendns.com/hc/en-us/articles/227987007

    Imported the Cisco Root CA certificate as documented for Chrome on Linux, and now I get the OpenDNS page blocked screen instead of invalid certificate authority. I think this is just a OpenDNS policy issue. Just have to open something up for that.

  • @reefland said in Invalid Certificates even after manual ca-certificates-utils upgrade:

    …I use OpenDNS. If I switch back to Google DNS (8.8.8.8) this issue goes away all the certificates work fine. As soon as I enable OpenDNS again, all these issues come back…

    Aha! It might explain something.

    I use Google DNS 8.8.8.8 too, though for another reason - one of web-based email clients is not reachable without it.

    Without changing abolutely nothing in default Anterogs DNS config, I simply add 8.8.8.8 as an Additional DNS server to IPv4 Settings in Connection properties:

    0_1491834365580_google-dns-additional-server.png

    Try doing the same thing. It solves the problem here.

  • I didn’t want to override the OpenDNS and use Google DNS. Secondly, I think if the primary DNS was responding, it would not use the secondary DNS. So as long as OpenDNS is answering and blocking, the additional DNS would never be used.

    I used the OpenDNS dashboard to allow an exception for the VPN providers I’m interested in. They now can be viewed as expected without needing to use Google DNS.

    Thanks everyone, I’ll mark this thread as resolved.

certificates1 invalid6 upgrade36 manual3 Posts 14Views 517
Log in to reply