View previous topic :: View next topic |
Author |
Message |
Ramis n00b
Joined: 20 Jan 2017 Posts: 5
|
Posted: Fri Jan 20, 2017 9:49 am Post subject: https problem after updating system |
|
|
Hi!
After updating world, I cannot open local tomcat sites by https. Http works.
I think the problems is due to certificates.
I tried several browsers: firefox, vivaldi, chrome.
Then I tried to repair the system by this topic: https://forums.gentoo.org/viewtopic-t-812705-start-0.html,
but there is no cacert.org.pem in my system.
Also I tried to re-emerge with new USE flag cacert, and result is the same.
How can I repair certificates in my system?
Thanks. |
|
Back to top |
|
|
tryn Guru
Joined: 21 Dec 2002 Posts: 325 Location: 39.885° N. -88.913° W.
|
Posted: Sat Jan 21, 2017 2:00 am Post subject: |
|
|
Hi Ramis.
You might try to rebuild these two items.
app-misc/ca-certificates
dev-libs/openssl
I ran this
Which gave the two items above so you might try that. |
|
Back to top |
|
|
Markus09 Tux's lil' helper
Joined: 22 Mar 2013 Posts: 78
|
Posted: Sat Jan 21, 2017 8:44 pm Post subject: |
|
|
Do you get no return from the server or some error message?
You could try in console with:
Code: | openssl s_client -connect yourTomcatHostname:443
GET / HTTP/1.1
Host: yourTomcatHostname |
to get more info about whats going wrong.
(Note: you have to press "Return" twice at the end) |
|
Back to top |
|
|
Ramis n00b
Joined: 20 Jan 2017 Posts: 5
|
Posted: Mon Jan 23, 2017 6:29 am Post subject: |
|
|
tryn wrote: | Hi Ramis.
You might try to rebuild these two items.
app-misc/ca-certificates
dev-libs/openssl
I ran this
Which gave the two items above so you might try that. |
Hi, tryn!
Thank you for reply.
I tried and it gives me
Code: | app-misc/ca-certificates-20161102.3.27.2-r2 (/etc/ssl/certs)
dev-libs/openssl-1.0.2j (/etc/ssl/certs)
sys-kernel/gentoo-sources-4.4.39 (/usr/src/linux-4.4.39-gentoo/certs) |
Then I updated Code: | emerge -av ca-certificates openssl gentoo-sources |
Code: | These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] app-misc/ca-certificates-20161102.3.27.2-r2::gentoo USE="cacert -insecure_certs" 7 539 KiB
[ebuild NS ] dev-libs/openssl-0.9.8z_p8:0.9.8::gentoo [1.0.2j:0::gentoo] USE="bindist zlib -gmp -kerberos {-test}" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 3 730 KiB
[ebuild R ] sys-kernel/gentoo-sources-4.4.39:4.4.39::gentoo USE="symlink -build -experimental" 86 157 KiB
Total: 3 packages (1 in new slot, 2 reinstalls), Size of downloads: 97 424 KiB
WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:
dev-libs/openssl:0
(dev-libs/openssl-1.0.2j:0/0::gentoo, ebuild scheduled for merge) conflicts with
>=dev-libs/openssl-1.0.1h-r2:0[abi_x86_32(-),abi_x86_64(-)] required by (dev-qt/qtcore-4.8.6-r2:4/4::gentoo, installed) |
But the result is the same. |
|
Back to top |
|
|
Ramis n00b
Joined: 20 Jan 2017 Posts: 5
|
Posted: Mon Jan 23, 2017 6:33 am Post subject: |
|
|
Markus09 wrote: | Do you get no return from the server or some error message?
You could try in console with:
Code: | openssl s_client -connect yourTomcatHostname:443
GET / HTTP/1.1
Host: yourTomcatHostname |
to get more info about whats going wrong.
(Note: you have to press "Return" twice at the end) |
Hi, Markus09!
Thanks for advice.
My connection in console gives me:
Code: | openssl s_client -connect https://localhost:9002/newstore/ru/?site=new
gethostbyname failure
gethostbyname failure
connect:errno=11 |
while Firefox output is:
Code: | An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT |
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Tue Jan 24, 2017 3:26 am Post subject: |
|
|
Ramis wrote: | My connection in console gives me:
Code: | openssl s_client -connect https://localhost:9002/newstore/ru/?site=new
gethostbyname failure
gethostbyname failure
connect:errno=11 |
| You misunderstood his instructions. openssl s_client is not a browser. It is a TLS-aware byte stream. He specified to give a bare hostname:port because that is all you can give to openssl s_client. You cannot give it a protocol scheme or a path, because it is designed to work with any TLS-aware service, not just https.
Ramis wrote: | while Firefox output is:
Code: | An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT |
| This is helpful. It says the peer is broken, not the client. Check the peer's error logs for details about what type of error it experienced. |
|
Back to top |
|
|
Ramis n00b
Joined: 20 Jan 2017 Posts: 5
|
Posted: Tue Jan 24, 2017 8:10 am Post subject: |
|
|
Hi Hu!
Thank you for reply.
I tried emerge dev-java/icedtea, but it failed:
Code: | * Generating cacerts file from certificates in /usr/share/ca-certificates/
unable to load certificate
140661671573136:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
* ERROR: dev-java/icedtea-7.2.6.8::gentoo failed (install phase):
* (no error message)
*
* Call stack:
* ebuild.sh, line 115: Called src_install
* environment, line 5009: Called die
* The specific snippet of code:
* openssl x509 -text -in "${c}" >> all.crt || die;
* |
So I think the problem is in certificates. |
|
Back to top |
|
|
Markus09 Tux's lil' helper
Joined: 22 Mar 2013 Posts: 78
|
Posted: Sun Jan 29, 2017 1:50 pm Post subject: |
|
|
Did you have a look into that folder?
E.g. with Code: | tree /usr/share/ca-certificates/ |
Is it empty? Does it contain something?
If you find .crt files you could check them with the tool if at least they could be PEM certificates.
And if there is a file that is not, I'd move it temporary out and try to rebuild.
You could also try icedtea-bin, if it is an option for you. |
|
Back to top |
|
|
Ramis n00b
Joined: 20 Jan 2017 Posts: 5
|
Posted: Mon Jan 30, 2017 12:23 pm Post subject: |
|
|
Hi Markus09!
Code: | c0426 ramis # tree /usr/share/ca-certificates/
/usr/share/ca-certificates/
└── cacert.org
└── cacert.org_root.crt
1 directory, 1 file |
Code: | c0426 ca-certificates # update-ca-certificates
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt not found, but listed in /etc/ca-certificates.conf.
...
grep: ACCVRAIZ1.pem: No such file or directory
WARNING: ACCVRAIZ1.pem does not contain a certificate or CRL: skipping
grep: ACEDICOM_Root.pem: No such file or directory
WARNING: ACEDICOM_Root.pem does not contain a certificate or CRL: skipping
|
|
|
Back to top |
|
|
|