Discussion:
[gobolinux-devel] CA-Certificates and OpenSSL
Hisham Muhammad
2014-09-29 19:41:51 UTC
Permalink
Hi,

I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.

I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.

I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.

For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
/Programs/OpenSSL/Settings/ssl (it's a configure flag:
"--openssldir=$settings_target/ssl" ).

I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer to
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)

I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.

Does anyone have any objection to this change?

-- Hisham
Lucas C. Villa Real
2014-09-29 20:26:09 UTC
Permalink
Post by Hisham Muhammad
Hi,
I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.
I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.
I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.
For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
"--openssldir=$settings_target/ssl" ).
I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer to
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)
I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.
Does anyone have any objection to this change?
None from my side.
--
Lucas
"If you're looking for a reason I've a reason to give: pleasure, little
treasure"
Hisham Muhammad
2014-09-29 21:05:16 UTC
Permalink
Post by Lucas C. Villa Real
Post by Hisham Muhammad
Hi,
I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.
I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.
I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.
For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
"--openssldir=$settings_target/ssl" ).
I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer to
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)
I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.
Does anyone have any objection to this change?
None from my side.
All right then, uploading recipes. With the latest CA-Certificates,
OpenSSL, Curl and Wget one should get rid of any certificate
complaints. (Perhaps this will make even Git happy too. I've been
using `export GIT_SSL_NO_VERIFY=true` to get stuff from github...)

-- Hisham
Lucas C. Villa Real
2014-09-29 21:17:14 UTC
Permalink
Post by Hisham Muhammad
Post by Lucas C. Villa Real
Post by Hisham Muhammad
Hi,
I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.
I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.
I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.
For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
"--openssldir=$settings_target/ssl" ).
I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer to
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)
I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.
Does anyone have any objection to this change?
None from my side.
All right then, uploading recipes. With the latest CA-Certificates,
OpenSSL, Curl and Wget one should get rid of any certificate
complaints. (Perhaps this will make even Git happy too. I've been
using `export GIT_SSL_NO_VERIFY=true` to get stuff from github...)
Hopefully. That workaround for git has even been introduced on Compile a
while ago..

Lucas
Hisham Muhammad
2014-09-29 21:37:11 UTC
Permalink
Post by Lucas C. Villa Real
Post by Hisham Muhammad
Post by Lucas C. Villa Real
Post by Hisham Muhammad
Hi,
I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.
I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.
I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.
For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
"--openssldir=$settings_target/ssl" ).
I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer to
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)
I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.
Does anyone have any objection to this change?
None from my side.
All right then, uploading recipes. With the latest CA-Certificates,
OpenSSL, Curl and Wget one should get rid of any certificate
complaints. (Perhaps this will make even Git happy too. I've been
using `export GIT_SSL_NO_VERIFY=true` to get stuff from github...)
Hopefully. That workaround for git has even been introduced on Compile a
while ago..
Looks like it! :)

***@pointer ~/bloblo]unset GIT_SSL_NO_VERIFY
***@pointer ~/bloblo]git clone https://github.com/hishamhm/datafile
Cloning into 'datafile'...
remote: Counting objects: 102, done.
remote: Total 102 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (102/102), 14.28 KiB | 0 bytes/s, done.
Resolving deltas: 100% (44/44), done.
Checking connectivity... done
***@pointer ~/bloblo]

-- Hisham
Lucas C. Villa Real
2014-09-29 22:57:43 UTC
Permalink
Post by Hisham Muhammad
Post by Lucas C. Villa Real
Post by Hisham Muhammad
On Mon, Sep 29, 2014 at 4:41 PM, Hisham Muhammad <
Post by Hisham Muhammad
Hi,
I've been getting lots of "invalid certificate" errors from curl and
wget lately. The reason is because I didn't have the CA-Certificates
package in my system.
I installed it (had to build Golang in the process!) but then I had
some trouble to get curl and wget to find the certificates.
I rebuilt Curl using --with-ca-path to make it point to /usr/lib/ssl,
and now Curl is happy.
For Wget, it gets the default path from OpenSSL. I noticed then that
OpenSSL is configured so that "openssldir" points to
"--openssldir=$settings_target/ssl" ).
I'm thinking of moving that to "/usr/lib/ssl", so that certificates
installed by the CA-Certificates package are found. (This is closer
to
Post by Lucas C. Villa Real
Post by Hisham Muhammad
Post by Hisham Muhammad
the default from upstream, /usr/local/ssl — it doesn't seem to be an
etc-style path.)
I'm sending this message before I upload the recipe because this may
have consequences with existing installations that installed custom
certificates at Settings/ssl/certs... you may need to use openssl.cnf
to make it find them there.
Does anyone have any objection to this change?
None from my side.
All right then, uploading recipes. With the latest CA-Certificates,
OpenSSL, Curl and Wget one should get rid of any certificate
complaints. (Perhaps this will make even Git happy too. I've been
using `export GIT_SSL_NO_VERIFY=true` to get stuff from github...)
Hopefully. That workaround for git has even been introduced on Compile a
while ago..
Looks like it! :)
Cloning into 'datafile'...
remote: Counting objects: 102, done.
remote: Total 102 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (102/102), 14.28 KiB | 0 bytes/s, done.
Resolving deltas: 100% (44/44), done.
Checking connectivity... done
Cool! Thanks heaps!

Lucas

Loading...