[solved] Problem with the SSL CA cert (path? access rights?)

Message

ghutzl · Post by **ghutzl** » Tue Mar 09, 2021 12:02 pm

Hello!

I am having a problem with git clone. Whenever I do a git clone of any repo I get this error:

$ git clone https://gitlab.com/bingch/gentoo-overlay.git
Cloning into 'gentoo-overlay'...
fatal: unable to access 'https://gitlab.com/bingch/gentoo-overlay.git/': Problem with the SSL CA cert (path? access rights?)

This is a relatively new install (about 1 week old). I have a older gentoo installation (>10 Years old

) where the above command works flawlessly. I am wondering what could be wrong with the certificates. I have the ca-certificates installed:

Code: Select all

[I] app-misc/ca-certificates
     Available versions:  20200601.3.53 ~20200601.3.60 ~20210119.3.62 {cacert}
     Installed versions:  20200601.3.53(12:58:34 AM 03/09/2021)(cacert)
     Homepage:            https://packages.debian.org/sid/ca-certificates
     Description:         Common CA Certificates PEM files

Here is my info:

Code: Select all

# emerge --info                                                                                                                                                                                                                                               Portage 3.0.13 (python 3.8.7-final-0, default/linux/amd64/17.1/desktop/gnome/systemd, gcc-10.2.0, glibc-2.32-r7, 5.4.97-gentoo-x86_64 x86_64)                                                                                                                                =================================================================                                                                                                                                                                                                            System uname: Linux-5.4.97-gentoo-x86_64-x86_64-AMD_Ryzen_9_3900X_12-Core_Processor-with-glibc2.2.5
KiB Mem:    16352248 total,  13558136 free                                                                                                                                                                                                                                   
KiB Swap:    2097148 total,   2097148 free
Timestamp of repository gentoo: Mon, 08 Mar 2021 21:00:01 +0000
Head commit of repository gentoo: e151146ff1a8dfceed760cecd14f58e0be411f54
sh bash 5.0_p18
ld GNU ld (Gentoo 2.35.1 p2) 2.35.1
app-shells/bash:          5.0_p18::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          2.7.18-r6::gentoo, 3.8.7-r1::gentoo, 3.9.1-r1::gentoo
dev-util/cmake:           3.18.5::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/sandbox:         2.20::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.16.2-r1::gentoo
sys-devel/binutils:       2.35.1-r1::gentoo
sys-devel/gcc:            10.2.0-r5::gentoo
sys-devel/gcc-config:     2.3.3::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.32-r7::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=znver2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=znver2"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe -march=znver2"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe -march=znver2"
GENTOO_MIRRORS="https://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j24"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi act alsa amd64 apparmor audit berkdb bluetooth branding build bzip2 cairo cdda cdr cgroup-hybrid cli colord crypt cryptsetup cups curl dbus dns-over-tls dri dts dvd dvdr eds emboss encode evo exif flac fortran gdbm gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gui iconv icu introspection ipv6 jpeg lcms libglvnd libnotify libsecret libtirpc mad mng mp3 mp4 mpeg multilib nautilus ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio qt5 readline sdl seccomp spell split-usr ssl startup-notification svg sysprof systemd tcpd tiff tracker truetype udev udisks unicode upower usb vorbis wayland webkit wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_8" PYTHON_TARGETS="python3_8" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="qxl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

I am executing git from my normal user and I checked that this user has read access to the certificates in e.g. "/usr/share/ca-certificates" .

Can anyone help me debug this?

Thank you.

Post by **fedeliallalinea** » Tue Mar 09, 2021 12:07 pm

Can help this topic?

ghutzl · Post by **ghutzl** » Tue Mar 09, 2021 12:38 pm

Ah, the given thread led me to the solution. Here are the details:

1. GIT_CURL_VERBOSE=1 gave me more info:

Code: Select all

$ GIT_CURL_VERBOSE=1 git clone https://gitlab.com/bingch/gentoo-overlay.git                                
Cloning into 'gentoo-overlay'...                   
* Couldn't find host gitlab.com in the .netrc file; using defaults
*   Trying 172.65.251.78:443...
* Connected to gitlab.com (172.65.251.78) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs            
* Closing connection 0                              
fatal: unable to access 'https://gitlab.com/bingch/gentoo-overlay.git/': Problem with the SSL CA cert (path? access rights?)

2. I set USE=nss just for net-misc/curl as posted in the thread but that was not solving the issue.

3. What finally solved the issue for me was emerging nss-pem.

Thanks for the help. Isn't that kind of an issue in one of the ebuilds? Probably net-misc/curl should require nss-pem as dependency (when used with CURL_SSL="nss") ?

Post by Hu » Tue Mar 09, 2021 9:22 pm

ghutzl wrote:Isn't that kind of an issue in one of the ebuilds? Probably net-misc/curl should require nss-pem as dependency (when used with CURL_SSL="nss") ?

I am not aware of a reason that the ebuild should permit the bad configuration, so this might be worth a bug report. I think at a minimum the ebuild could do with a comment justifying the current behavior, if the current behavior is intentional rather than just an oversight.

ghutzl · Post by **ghutzl** » Thu Mar 11, 2021 4:22 pm

I just found a bug that covers this already: https://bugs.gentoo.org/768912 . So all is good (or eventually will be).