System cannot verify certificates from any HTTPS connections

dptzippy · 01-27-2021, 02:30 PM

As the title says, my system fails to verify security certificates for secured connections. This can be worked around, using a configuration file (for cURL), and "--no-check-connection" (for wget), but I can't always work around this issue, and until I get this fixed, I cannot install a web browser, I cannot use chat programs, installers/packages fail if they need to connect to the Internet, and I am really frustrated.

I have recompiled and reinstalled GnuTLS, cURL, OpenSSL, NSS, make-ca, but it still won't work. I use the default directories, as per BLFS, but I can't seem to get my connection to work. Does anybody know how to fix this? This problem affects the console, as well as GUI applications.

Thanks for the help!
- dptzippy

sevendogsbsd · 01-27-2021, 03:00 PM

Typically this means the root certificates from the sites you are trying to connect to, are not installed. Normally these are installed in modern distros but I know nothing about how this works in LFS.

dptzippy · 01-27-2021, 06:11 PM

Quote:

Originally Posted by sevendogsbsd

Typically this means the root certificates from the sites you are trying to connect to, are not installed. Normally these are installed in modern distros but I know nothing about how this works in LFS.

Thank you for your reply. Would you happen to know of a place where I could download some kind of package, to install certificates?

sevendogsbsd · 01-27-2021, 07:57 PM

Normally these are installed with the OS, but you built the OS, that being blfs so I am not sure in that case. Do the docs say anything about root certificates? It is essentially a package with dozens of root certificates from various vendors and countries.

Sorry I am not being any more helpful than that but I have not ever built an LFS system.

spiky0011 · 01-28-2021, 11:21 AM

Try here
http://www.linuxfromscratch.org/blfs...s/make-ca.html

bryan_S · 01-28-2021, 01:04 PM

And, as is shown on that page: "make-ca -g" should do it. I manually download certdata.txt and run "make-ca" in the same directory - that also works.

dptzippy · 01-28-2021, 08:27 PM

Quote:

Originally Posted by bryan_S

And, as is shown on that page: "make-ca -g" should do it. I manually download certdata.txt and run "make-ca" in the same directory - that also works.

Okay, I tried reinstalling those packages, and rerunning the commands. Every single certificate issues a "Could not open certificate"/"Unable to read certificate" message, and nothing is fixed. What am I doing incorrectly?

dptzippy · 01-28-2021, 08:43 PM

I just noticed that the output mentions an error in the script.

/usr/sbin/make-ca: line 650: 21776 Broken pipe printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' "${tempfile}")
21777 Segmentation fault | "${OPENSSL}" x509 -text -inform DER -fingerprint > tempfile.crt
Could not read certificate from tempfile.crt
Unable to load certificate
Could not read certificate from tempfile.crt
Unable to load certificate
Could not read certificate from tempfile.crt
Unable to load certificate
Could not read certificate from tempfile.crt
Unable to load certificate
Certificate: Trustis FPS Root CA
Keyhash:
Added to p11-kit anchor directory with trust 'C,C,'.

themightydill · 05-01-2021, 05:30 PM

delete post