After upgrading to app-misc/ca-certificates-20140223 I cannot access launchpad.net, anymore,e.g. trying to emerge x11-terms/terra I get [32;01m*[0m bzr branch start --> [32;01m*[0m repository: lp:terra => /usr/portage/distfiles/bzr-src/terra See `bzr help ssl.ca_certs` for how to specify trusted CAcertificates. Pass -Ossl.cert_reqs=none to disable certificate verification entirely. bzr: ERROR: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Stepping back to app-misc/ca-certificates-20130906 returns state to 'normal', i.e., I can access launchpad again.
Similar problems here. Some sites are failing. Example: $ wget 'https://twitch.tv' --2014-03-15 18:07:06-- https://twitch.tv/ Resolving twitch.tv... 192.16.71.171 Connecting to twitch.tv|192.16.71.171|:443... connected. ERROR: cannot verify twitch.tv's certificate, issued by '/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287': Self-signed certificate encountered.
(In reply to Helmut Jarausch from comment #0) launchpad.net looks like: $ openssl s_client -host launchpad.net -port 443 -CApath /etc/ssl/certs </dev/null CONNECTED(00000003) depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0 the ValiCert was in the last ca-certificates release, but it isn't in the current one. so where'd it go ? ca-certificates is really just mozilla's (nss) database: https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt and if you look at the history: https://hg.mozilla.org/projects/nss/rev/1cef53398ecf https://bugzilla.mozilla.org/show_bug.cgi?id=936304 ValiCert was removed on purpose for being weak keys (only 1024 bits). however, it was later reverted: https://hg.mozilla.org/projects/nss/rev/d793d89df060 although the plan is still to remove the certs long term. (In reply to Nikos Chantziaras from comment #1) twitch.tv also needs ValiCert to work.
i guess the question now is: have we outgrown Debian's ca-certificates package and should we start rolling our own (while still using their build tools). really, all they do is take the mozilla database and add the SPI (Software in the Public Interest) certificates. they used to add CAcert too, but have dropped it in this release. in the past, Gentoo also relied on CAcert.org to work. but i think we've migrated off that to certs that are in the mozilla database ? can infra team confirm that we no longer care about CAcert.org ?
actually, nm infra. i've convinced myself to add a ca-certificates that uses the same database as the nss package. which means i'll also add a USE flag to control the CAcert/SPI certs like we already have in the nss package.
(In reply to SpanKY from comment #4) > actually, nm infra. i've convinced myself to add a ca-certificates that > uses the same database as the nss package. which means i'll also add a USE > flag to control the CAcert/SPI certs like we already have in the nss package. Not following you here. Are we moving to https://fedoraproject.org/wiki/Features/SharedSystemCertificates ? Because the existing nssdb handling of certs blows. -A
(In reply to SpanKY from comment #3) > can infra > team confirm that we no longer care about CAcert.org ? None of our public services use CACert anymore, but we do have internal services using the CACert root.
(In reply to Alec Warner from comment #5) the way Debian produces ca-certificates is to take the nss source code, run it through python, and produce a bunch of split out cert files. then they get installed into /etc. my new ebuild, rather than taking Debian's precompiled version, will use Debian's scripts to do the nss->split files ourselves. this allows us to keep the nss & /etc/ssl cert stores better in sync. Debian picks versions from the mozilla mercurial tree, and does so too infrequently. (In reply to Robin Johnson from comment #6) i'm putting it behind IUSE=+cacert like we do with nss
should be all set now in the tree; thanks for the report! Commit message: Support pulling the cert database out of a nss release http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20140223.3.15.5.ebuild?rev=1.1 http://sources.gentoo.org/app-misc/ca-certificates/ca-certificates-20140223.ebuild?r1=1.1&r2=1.2 http://sources.gentoo.org/app-misc/ca-certificates/metadata.xml?r1=1.1&r2=1.2
requires python 2.7 .. does not work with python 3.3 .. can the ebuild select python 2.7 as per: eselect python list Available Python interpreters: [1] python2.7 [2] python3.3 * derk@zlink1 ~ $ sudo eselect python set 1 Password: derk@zlink1 ~ $ emerge -1 ca-certificates Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-misc/ca-certificates-20140223.3.15.5 >>> Installing (1 of 1) app-misc/ca-certificates-20140223.3.15.5 >>> Jobs: 1 of 1 complete Load avg: 0.76, 0.56, 0.70 >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * GNU info directory index is up-to-date. derk@zlink1 ~ $ sudo eselect python set 2 derk@zlink1 ~ $ emerge -1 ca-certificates Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-misc/ca-certificates-20140223.3.15.5 >>> Failed to emerge app-misc/ca-certificates-20140223.3.15.5, Log file: >>> '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/temp/build.log' >>> Jobs: 0 of 1 complete, 1 failed Load avg: 0.33, 0.42, 0.63 * Package: app-misc/ca-certificates-20140223.3.15.5 * Repository: gentoo * Maintainer: base-system@gentoo.org * USE: abi_x86_64 amd64 cacert elibc_glibc kernel_linux multilib userland_GNU * FEATURES: preserve-libs sandbox userpriv usersandbox >>> Unpacking source... >>> Unpacking ca-certificates_20140223.tar.xz to /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work >>> Unpacking nss-3.15.5.tar.gz to /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work >>> Unpacking nss-3.14.1-add_spi+cacerts_ca_certs.patch to /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work unpack nss-3.14.1-add_spi+cacerts_ca_certs.patch: file format not recognized. Ignoring. >>> Source unpacked in /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work >>> Preparing source in /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work ... * Applying nss-3.14.1-add_spi+cacerts_ca_certs.patch ... [ ok ] * Applying ca-certificates-20110502-root.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work ... >>> Source configured. >>> Compiling source in /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work ... make -j4 -C /var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work/ca-certificates/mozilla make: Entering directory '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work/ca-certificates/mozilla' python certdata2pem.py File "certdata2pem.py", line 73 raise NotImplementedError, 'line_parts < 2 not supported.' ^ SyntaxError: invalid syntax Makefile:6: recipe for target 'all' failed make: *** [all] Error 1 make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work/ca-certificates/mozilla' * ERROR: app-misc/ca-certificates-20140223.3.15.5::gentoo failed (compile phase): * emake failed * * If you need support, post the output of `emerge --info '=app-misc/ca-certificates-20140223.3.15.5::gentoo'`, * the complete build log and the output of `emerge -pqv '=app-misc/ca-certificates-20140223.3.15.5::gentoo'`. * The complete build log is located at '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/temp/environment'. * Working directory: '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work/image' * S: '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work' * Messages for package app-misc/ca-certificates-20140223.3.15.5: * ERROR: app-misc/ca-certificates-20140223.3.15.5::gentoo failed (compile phase): * emake failed * * If you need support, post the output of `emerge --info '=app-misc/ca-certificates-20140223.3.15.5::gentoo'`, * the complete build log and the output of `emerge -pqv '=app-misc/ca-certificates-20140223.3.15.5::gentoo'`. * The complete build log is located at '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/temp/environment'. * Working directory: '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work/image' * S: '/var/tmp/portage/app-misc/ca-certificates-20140223.3.15.5/work'
(In reply to Derk W te Bokkel from comment #9) + 20 Mar 2014; Mike Gilbert <floppym@gentoo.org> + ca-certificates-20140223.3.15.5.ebuild: + Force usage of python 2.x during build.