[SOLVED] Can I update ca-certificates on 14.2?

Skaendo · 12-28-2018, 12:52 PM

I am starting to see TLS errors with Liferea on 14.2 and just was wondering if I should try reinstalling ca-certificates or if I can upgrade them to the package from -current. I haven't seen any errors through Waterfox.

I don't want to break my install by upgrading to the -current version, but I wouldn't be very disappointed if it did break. I was considering moving to -current, but I don't think that it is really ready enough. A fresh install of 14.2 wouldn't kill me either, but I don't want to do it and it could be resolved by just upgrading or reinstalling ca-certificates.

Any input would be helpful, TIA.

hazel · 12-28-2018, 01:12 PM

I don't know if it's officially permissible, but when I installed Slack last week, I used the ca-certs from current. I don't see that it can do any harm because ca-certs are data, not executable code that some program could be linked to.

volkerdi · 12-28-2018, 01:33 PM

Yes, it is safe to use the ca-certificates package from -current on earlier versions of Slackware.

abga · 12-28-2018, 04:56 PM

@Skaendo
Before you move to the ca-certificates from -current, I'd suggest to try updating the already available ones:

Code:

/usr/sbin/update-ca-certificates --fresh

Skaendo · 12-28-2018, 08:12 PM

Thanks everyone.

I tried what @abga suggested and tried updating first, but it didn't completely solve the problem so I updated the build script for 14.2 with the version from -current and upgraded. It threw a bunch of errors after I ran update-ca-certificates (just couple to elaborate):

Code:

W: /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/WellsSecure_Public_Root_Certificate_Authority.crt not found, but listed in /etc/ca-certificates.conf.

But most feeds are working normal again. the only one that is not working is Torrent Freak so I am assuming that it could be on their end or it is a issue with Liferea itself.

Thanks again.

svim · 12-29-2018, 11:48 AM

I've been been using Liferea for several years now and just a couple of weeks ago, one day I noticed several errors with just some feeds too. After a few days of trying this and that I started looking for viable alternatives. Now using Feedbro, a Firefox extension:
https://addons.mozilla.org/en-US/fir...feedbroreader/
Took a day or two to adjust from using a discrete application to just another tab in a browser but it has a surprisingly extensive feature set, much more than Liferea's.

Skaendo · 12-29-2018, 07:12 PM

Quote:

Originally Posted by svim

I've been been using Liferea for several years now and just a couple of weeks ago, one day I noticed several errors with just some feeds too. After a few days of trying this and that I started looking for viable alternatives. Now using Feedbro, a Firefox extension:
https://addons.mozilla.org/en-US/fir...feedbroreader/
Took a day or two to adjust from using a discrete application to just another tab in a browser but it has a surprisingly extensive feature set, much more than Liferea's.

Thanks for the tip. I would much rather have a standalone application for most things. I just don't like weighing down my browser with a bunch of addons. Liferea does what I need it to, grab feeds and let me open the links in my browser.

Markus Wiesner · 12-29-2018, 07:25 PM

Quote:

Originally Posted by Skaendo

It threw a bunch of errors after I ran update-ca-certificates (just couple to elaborate):

Did you move /etc/ca-certificates.conf.new to /etc/ca-certificates.conf before running update-ca-certificates?

Skaendo · 12-29-2018, 07:35 PM

Quote:

Originally Posted by Markus Wiesner

Did you move /etc/ca-certificates.conf.new to /etc/ca-certificates.conf before running update-ca-certificates?

No I did not. Fixed. Thanks.

24 more added and no errors.

Poprocks · 02-13-2019, 01:50 PM

Beware of one thing that I noticed today:

I'd upgraded ca-certificates from 14.0 (latest patches version) with the one from -current.

The update-ca-certificates script attempts to run `openssl rehash` which is only a command available with openssl 1.1.x; 1.0.x shipped with 14.0 does not include that command; the correct command is c_rehash.

So updating to -current ca-certificates on 14.0 resulted in some errors such as wget not being able to download files via https.

chris.willing · 02-13-2019, 04:22 PM

Further to @abga's suggestion to run

Code:

/usr/sbin/update-ca-certificates --fresh

which solved an entirely different issue for me (connection problem using a VLC addon) ...

Since certificates from letsencrypt have a relatively short lifetime, maybe more servers are out there with certificates being renewed quite often. To accommodate this, should we be running update-ca-certificates as a matter of course - even regularly via a cron job?

chris

Skaendo · 02-13-2019, 05:14 PM

Just to give a update on my original issue where I was having problems with Liferea which is why I wanted to try and update the certs in the first place, it seems that it might have been a issue with either Liferea itself or something I did to my Slackware install.

I first removed Liferea and switched over to QuiteRSS and have not had any issues since. Also, very recently I did a reinstall of Slackware 14.2 on my daily rig here, and have not tested Liferea since I have been fairly happy with QuiteRSS. So it could possibly have been either one of those things.

abga · 02-13-2019, 05:58 PM

Quote:

Originally Posted by chris.willing

Further to @abga's suggestion to run

Code:

/usr/sbin/update-ca-certificates --fresh

which solved an entirely different issue for me (connection problem using a VLC addon) ...

Since certificates from letsencrypt have a relatively short lifetime, maybe more servers are out there with certificates being renewed quite often. To accommodate this, should we be running update-ca-certificates as a matter of course - even regularly via a cron job?

chris

There is already a script, executed by crond everyday, that should warn about the certificates expiration, but I'm not sure it's working right. Inspected it some time ago and played with it even now and still not sure if it actually works, as it looks for some unavailable patterns in /etc/ssl/certs/ca-certificates.crt
This script is /etc/cron.daily/certwatch and it might have been designed for older /etc/ssl/certs/ca-certificates.crt formats.

Nevertheless, you can use it (instead of writing a new one) and add the following line to the end of the script:

Code:

/usr/sbin/update-ca-certificates --fresh 2>&1 | /usr/bin/logger -t "Certificates Update:"