ca bundle not installed?
Posted: Fri Apr 10, 2015 10:28 amHi
I see no app can use the ca bundle, and that's a problem... For instance, wget and curl:
I know I could try to skip the certificate validation, but I shouldn't. The point of the certs is to give security. Plus, there are other programs relying on libcurl that I can't use if there's that limitation:
The package "libcurl" comes with a ca bundle:
And when I use it with curl, or wget it works properly:
Package "libcurl" also comes with the utility "curl-config" to get some info about libcurl on compilation time
It shows no ca-bundle path, while it does in my computer:
I tried to strace curl to find out where it was looking for the ca bundle, and it seems like it's not even trying
And the last lines before the error show:
while using ca-bundle option shows:
My questions are:
- Am I the only one with this problem?
- Does anyone know how libcurl was compiled? Can we compile it again with the proper ca-bundle path?
- Should the ca-bundle be in another place widely-available where all the apps can go fetch it?
I think it only happens after the upgrade to 16, but it was so long ago that I can't tell for sure.
Thanks!
I see no app can use the ca bundle, and that's a problem... For instance, wget and curl:
root@lacie:/root # wget https://bootstrap.pypa.io/get-pip.py
--2015-04-10 11:56:40-- https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io... 185.31.17.175
Connecting to bootstrap.pypa.io|185.31.17.175|:443... connected.
ERROR: cannot verify bootstrap.pypa.io's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA’:
Unable to locally verify the issuer's authority.
To connect to bootstrap.pypa.io insecurely, use `--no-check-certificate'.
root@lacie:/root # curl https://bootstrap.pypa.io/get-pip.py -v
* About to connect() to bootstrap.pypa.io port 443 (#0)
* Trying 185.31.17.175...
* Connected to bootstrap.pypa.io (185.31.17.175) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I know I could try to skip the certificate validation, but I shouldn't. The point of the certs is to give security. Plus, there are other programs relying on libcurl that I can't use if there's that limitation:
root@lacie:/opt/SickRage # git pull
fatal: unable to access 'https://github.com/SiCKRAGETV/SickRage.git/': error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
root@lacie:/root # python2.7 get-pip.py
/tmp/tmp1pjOXO/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/late ... ormwarning.
Collecting pip
/tmp/tmp1pjOXO/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/late ... ormwarning.
/tmp/tmp1pjOXO/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/late ... ormwarning.
Could not find a version that satisfies the requirement pip (from versions: )
No matching distribution found for pip
The package "libcurl" comes with a ca bundle:
root@lacie:/opt/SickRage # ipkg search *bundle*
git - 1.8.4.2-1 - /opt/libexec/git-core/git-bundle
libcurl - 7.24.0-1 - /opt/share/curl/curl-ca-bundle.crt
Successfully terminated.
And when I use it with curl, or wget it works properly:
root@lacie:/etc/ssl # wget --ca-certificate /opt/share/curl/curl-ca-bundle.crt https://bootstrap.pypa.io/get-pip.py
--2015-04-10 12:26:38-- https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io... 23.235.43.175
Connecting to bootstrap.pypa.io|23.235.43.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1420671 (1.4M) [text/x-python]
Saving to: ‘get-pip.py’
100%[==============================================================================================================================================>] 1,420,671 230KB/s in 4.9s
2015-04-10 12:26:43 (285 KB/s) - ‘get-pip.py’ saved [1420671/1420671]
root@lacie:/root/ # curl --cacert /opt/share/curl/curl-ca-bundle.crt https://bootstrap.pypa.io/get-pip.py -o get-pyp.py -v
* About to connect() to bootstrap.pypa.io port 443 (#0)
* Trying 185.31.17.175...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to bootstrap.pypa.io (185.31.17.175) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/share/curl/curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=*.c.ssl.fastly.net
* start date: 2015-03-03 00:00:00 GMT
* expire date: 2016-04-06 12:00:00 GMT
* subjectAltName: bootstrap.pypa.io matched
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
> GET /get-pip.py HTTP/1.1
> User-Agent: curl/7.29.0
> Host: bootstrap.pypa.io
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 10 Apr 2015 10:02:34 GMT
< Server: nginx
< Content-Type: text/x-python
< Last-Modified: Tue, 07 Apr 2015 11:15:42 GMT
< ETag: "5523bc5e-15ad7f"
< X-Clacks-Overhead: GNU Terry Pratchett
< Strict-Transport-Security: max-age=315360000; includeSubDomains; preload
< Public-Key-Pins: max-age=2592000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU="; pin-sha256="TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI="; pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=";
< Via: 1.1 varnish
< Content-Length: 1420671
< Accept-Ranges: bytes
< Via: 1.1 varnish
< Age: 5835
< X-Served-By: cache-iad2132-IAD, cache-fra1237-FRA
< X-Cache: HIT, HIT
< X-Cache-Hits: 1, 1
<
{ [data not shown]
100 1387k 100 1387k 0 0 112k 0 0:00:12 0:00:12 --:--:-- 138k
* Connection #0 to host bootstrap.pypa.io left intact
Package "libcurl" also comes with the utility "curl-config" to get some info about libcurl on compilation time
root@lacie:/root/ # ipkg search *curl-config*
libcurl - 7.24.0-1 - /opt/bin/curl-config
libcurl - 7.24.0-1 - /opt/share/man/man1/curl-config.1
Successfully terminated.
root@lacie:/root # curl-config --cc
gcc
root@lacie:/root # curl-config --ca
root@lacie:/root # curl-config --help
Usage: curl-config [OPTION]
Available values for OPTION include:
--built-shared says 'yes' if libcurl was built shared
--ca ca bundle install path
--cc compiler
--cflags pre-processor and compiler flags
--checkfor [version] check for (lib)curl of the specified version
--configure the arguments given to configure when building curl
--features newline separated list of enabled features
--help display this help and exit
--libs library linking information
--prefix curl install prefix
--protocols newline separated list of enabled protocols
--static-libs static libcurl library linking information
--version output version information
--vernum output the version information as a number (hexadecimal)
It shows no ca-bundle path, while it does in my computer:
ersiko@computer:~/$ curl-config --ca
/etc/ssl/certs/ca-certificates.crt
I tried to strace curl to find out where it was looking for the ca bundle, and it seems like it's not even trying
root@lacie:/etc/ssl # strace -f -o output curl https://bootstrap.pypa.io/get-pip.py
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root@lacie:/etc/ssl # grep cert output
root@lacie:/etc/ssl # grep bundle output
root@lacie:/etc/ssl # grep ca output
6979 uname({sys="Linux", node="lacie.local", ...}) = 0
6979 open("/etc/ld.so.cache", O_RDONLY|0x80000) = 3
6979 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE|0x80000) = 3
6979 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
6979 read(3, "domain local\nnameserver 192.168."..., 4096) = 61
6979 open("/etc/ld.so.cache", O_RDONLY|0x80000) = 3
6979 read(3, "127.0.0.1 lacie.local local"..., 4096) = 162
6979 open("/etc/ld.so.cache", O_RDONLY|0x80000) = 3
And the last lines before the error show:
6979 gettimeofday({1428660613, 811428}, NULL) = 0
6979 gettimeofday({1428660613, 811669}, NULL) = 0
6979 read(3, "\0^\3\3\221o\202\364\235-\216\345\351t\304\325\324_\327\223i\325\2\344\277\224\30\326t4\327\n"..., 96) = 96
6979 read(3, "\26\3\3\20!", 5) = 5
6979 read(3, "\v\0\20\35\0\20\32\0\v_0\202\v[0\202\nC\240\3\2\1\2\2\20\3\23\245\341l\302\376"..., 4129) = 1340
6979 read(3, 0x568e4, 2789) = -1 EAGAIN (Resource temporarily unavailable)
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 89059505}) = 0
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 89289272}) = 0
6979 poll([{fd=3, events=POLLIN}], 1, 1000) = 1 ([{fd=3, revents=POLLIN}])
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 91183138}) = 0
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 91402542}) = 0
6979 poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 1 ([{fd=3, revents=POLLIN|POLLRDNORM}])
6979 gettimeofday({1428660613, 816052}, NULL) = 0
6979 read(3, "able.com\202\21*.kickstarter.com\202\22spa"..., 2789) = 2648
6979 read(3, 0x5733c, 141) = -1 EAGAIN (Resource temporarily unavailable)
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 92681748}) = 0
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 92908913}) = 0
6979 poll([{fd=3, events=POLLIN}], 1, 1000) = 1 ([{fd=3, revents=POLLIN}])
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 101383236}) = 0
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 101609956}) = 0
6979 poll([{fd=3, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 1 ([{fd=3, revents=POLLIN|POLLRDNORM}])
6979 gettimeofday({1428660613, 826270}, NULL) = 0
6979 read(3, "6\241\277\34nGI\177^\331H|\3\331\375\213I\240\230&B@\353\326\222\21\244d\nWT\304"..., 141) = 141
6979 write(3, "\25\3\3\0\2\0020", 7) = 7
6979 clock_gettime(CLOCK_MONOTONIC, {143768, 106837345}) = 0
6979 gettimeofday({1428660613, 831246}, NULL) = 0
6979 close(3) = 0
6979 write(2, "c", 1) = 1
6979 write(2, "u", 1) = 1
6979 write(2, "r", 1) = 1
while using ca-bundle option shows:
7055 open("/dev/urandom", O_RDONLY) = 4
7055 read(4, "\254+\272\22\233f+/\327\303)\373\234M[M\333\242\315jag\37\367\213\207\203\266\331\344~\337"..., 1024) = 1024
7055 close(4) = 0
7055 open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 4
7055 fstat64(4, {st_mode=S_IFCHR|0444, st_rdev=makedev(1, 9), ...}) = 0
7055 poll([{fd=4, events=POLLIN}], 1, 10) = 1 ([{fd=4, revents=POLLIN}])
7055 read(4, "\335\215\316<\376hR%r\271\327\372\312\305\266_\323\24\324Y\251\222\205\244C\366\320C<24\212", 32) = 32
7055 close(4) = 0
7055 getuid32() = 0
7055 gettimeofday({1428661208, 756923}, NULL) = 0
7055 open("/opt/share/curl/curl-ca-bundle.crt", O_RDONLY|O_LARGEFILE) = 4
7055 fstat64(4, {st_mode=S_IFREG|0755, st_size=215997, ...}) = 0
7055 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6fc3000
7055 read(4, "##\n## lib/ca-bundle.crt -- Bundl"..., 4096) = 4096
7055 read(4, "BQADgY0AMIGJAoGBANOkUG7I/1Zr5s9d"..., 4096) = 4096
7055 read(4, " Global CA 3\n==================="..., 4096) = 4096
7055 read(4, "s3dLlwR5EiUWMWea6xrkEmCMgZK9FGqk"..., 4096) = 4096
My questions are:
- Am I the only one with this problem?
- Does anyone know how libcurl was compiled? Can we compile it again with the proper ca-bundle path?
- Should the ca-bundle be in another place widely-available where all the apps can go fetch it?
I think it only happens after the upgrade to 16, but it was so long ago that I can't tell for sure.
Thanks!