Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
https problem after updating system
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Ramis
n00b
n00b


Joined: 20 Jan 2017
Posts: 5

PostPosted: Fri Jan 20, 2017 9:49 am    Post subject: https problem after updating system Reply with quote

Hi!

After updating world, I cannot open local tomcat sites by https. Http works.
I think the problems is due to certificates.
I tried several browsers: firefox, vivaldi, chrome.
Then I tried to repair the system by this topic: https://forums.gentoo.org/viewtopic-t-812705-start-0.html,
but there is no cacert.org.pem in my system.

Also I tried to re-emerge with new USE flag cacert, and result is the same.

How can I repair certificates in my system?

Thanks.
Back to top
View user's profile Send private message
tryn
Guru
Guru


Joined: 21 Dec 2002
Posts: 320
Location: 39.885° N. -88.913° W.

PostPosted: Sat Jan 21, 2017 2:00 am    Post subject: Reply with quote

Hi Ramis.

You might try to rebuild these two items.
app-misc/ca-certificates
dev-libs/openssl

I ran this
Code:
equery b certs

Which gave the two items above so you might try that.
Back to top
View user's profile Send private message
Markus09
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2013
Posts: 78

PostPosted: Sat Jan 21, 2017 8:44 pm    Post subject: Reply with quote

Do you get no return from the server or some error message?

You could try in console with:
Code:
openssl s_client -connect yourTomcatHostname:443
GET / HTTP/1.1
Host: yourTomcatHostname

to get more info about whats going wrong.
(Note: you have to press "Return" twice at the end)
Back to top
View user's profile Send private message
Ramis
n00b
n00b


Joined: 20 Jan 2017
Posts: 5

PostPosted: Mon Jan 23, 2017 6:29 am    Post subject: Reply with quote

tryn wrote:
Hi Ramis.

You might try to rebuild these two items.
app-misc/ca-certificates
dev-libs/openssl

I ran this
Code:
equery b certs

Which gave the two items above so you might try that.


Hi, tryn!

Thank you for reply.
I tried
Code:
equery b certs
and it gives me
Code:
app-misc/ca-certificates-20161102.3.27.2-r2 (/etc/ssl/certs)
dev-libs/openssl-1.0.2j (/etc/ssl/certs)
sys-kernel/gentoo-sources-4.4.39 (/usr/src/linux-4.4.39-gentoo/certs)

Then I updated
Code:
 emerge -av ca-certificates openssl gentoo-sources

Code:
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] app-misc/ca-certificates-20161102.3.27.2-r2::gentoo  USE="cacert -insecure_certs" 7 539 KiB
[ebuild  NS    ] dev-libs/openssl-0.9.8z_p8:0.9.8::gentoo [1.0.2j:0::gentoo] USE="bindist zlib -gmp -kerberos {-test}" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 3 730 KiB
[ebuild   R    ] sys-kernel/gentoo-sources-4.4.39:4.4.39::gentoo  USE="symlink -build -experimental" 86 157 KiB

Total: 3 packages (1 in new slot, 2 reinstalls), Size of downloads: 97 424 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-libs/openssl:0

  (dev-libs/openssl-1.0.2j:0/0::gentoo, ebuild scheduled for merge) conflicts with
    >=dev-libs/openssl-1.0.1h-r2:0[abi_x86_32(-),abi_x86_64(-)] required by (dev-qt/qtcore-4.8.6-r2:4/4::gentoo, installed)

But the result is the same.
Back to top
View user's profile Send private message
Ramis
n00b
n00b


Joined: 20 Jan 2017
Posts: 5

PostPosted: Mon Jan 23, 2017 6:33 am    Post subject: Reply with quote

Markus09 wrote:
Do you get no return from the server or some error message?

You could try in console with:
Code:
openssl s_client -connect yourTomcatHostname:443
GET / HTTP/1.1
Host: yourTomcatHostname

to get more info about whats going wrong.
(Note: you have to press "Return" twice at the end)


Hi, Markus09!

Thanks for advice.
My connection in console gives me:
Code:
openssl s_client -connect https://localhost:9002/newstore/ru/?site=new
gethostbyname failure
gethostbyname failure
connect:errno=11

while Firefox output is:
Code:
An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14379

PostPosted: Tue Jan 24, 2017 3:26 am    Post subject: Reply with quote

Ramis wrote:
My connection in console gives me:
Code:
openssl s_client -connect https://localhost:9002/newstore/ru/?site=new
gethostbyname failure
gethostbyname failure
connect:errno=11
You misunderstood his instructions. openssl s_client is not a browser. It is a TLS-aware byte stream. He specified to give a bare hostname:port because that is all you can give to openssl s_client. You cannot give it a protocol scheme or a path, because it is designed to work with any TLS-aware service, not just https.
Ramis wrote:
while Firefox output is:
Code:
An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
This is helpful. It says the peer is broken, not the client. Check the peer's error logs for details about what type of error it experienced.
Back to top
View user's profile Send private message
Ramis
n00b
n00b


Joined: 20 Jan 2017
Posts: 5

PostPosted: Tue Jan 24, 2017 8:10 am    Post subject: Reply with quote

Hi Hu!

Thank you for reply.
I tried emerge dev-java/icedtea, but it failed:
Code:
 * Generating cacerts file from certificates in /usr/share/ca-certificates/
unable to load certificate
140661671573136:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
 * ERROR: dev-java/icedtea-7.2.6.8::gentoo failed (install phase):
 *   (no error message)
 *
 * Call stack:
 *     ebuild.sh, line 115:  Called src_install
 *   environment, line 5009:  Called die
 * The specific snippet of code:
 *           openssl x509 -text -in "${c}" >> all.crt || die;
 *

So I think the problem is in certificates.
Back to top
View user's profile Send private message
Markus09
Tux's lil' helper
Tux's lil' helper


Joined: 22 Mar 2013
Posts: 78

PostPosted: Sun Jan 29, 2017 1:50 pm    Post subject: Reply with quote

Did you have a look into that folder?
E.g. with
Code:
tree /usr/share/ca-certificates/

Is it empty? Does it contain something?

If you find .crt files you could check them with the tool
Code:
file
if at least they could be PEM certificates.
And if there is a file that is not, I'd move it temporary out and try to rebuild.

You could also try icedtea-bin, if it is an option for you.
Back to top
View user's profile Send private message
Ramis
n00b
n00b


Joined: 20 Jan 2017
Posts: 5

PostPosted: Mon Jan 30, 2017 12:23 pm    Post subject: Reply with quote

Hi Markus09!

Code:
c0426 ramis # tree /usr/share/ca-certificates/
/usr/share/ca-certificates/
└── cacert.org
    └── cacert.org_root.crt

1 directory, 1 file

Code:
c0426 ca-certificates # update-ca-certificates
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt not found, but listed in /etc/ca-certificates.conf.
...
grep: ACCVRAIZ1.pem: No such file or directory
WARNING: ACCVRAIZ1.pem does not contain a certificate or CRL: skipping
grep: ACEDICOM_Root.pem: No such file or directory
WARNING: ACEDICOM_Root.pem does not contain a certificate or CRL: skipping
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum