================================================================= Package Settings ================================================================= www-client/lynx-2.8.9_pre11::gentoo was built with the following: USE="bzip2 gnutls idn ipv6 nls ssl unicode -cjk -libressl" ABI_X86="64" $ lynx https://www.gentoo.org/ => SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n) It works when you set "SSL_CERT_FILE", i.e. $ SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt lynx https://www.gentoo.org/ So please uncomment SSL_CERT_FILE line in lynx.cfg so that the default system certificate store is also used when using GNUtls SSL backend.
Changing to security audit
(In reply to Kristian Fiskerstrand from comment #1) > Changing to security audit Actually that might have been premature, is it using a non-synchronized CA store, or just not using any store at all (the latter isn't a security issue anyhow)
Created attachment 599472 [details, diff] uncomment certificate store Virtually every distro out there (including Gentoo) puts the system certificate store in /etc/ssl/certs/ca-certificates.crt . The only exception I've ever seen is RHEL6; where I'd just put in a symbolic link for my programs to work on that platform anyways. This patch just uncomments out the default setting fixing the issue where Lynx can't validate certs by default on Gentoo. I've tested this on my machine and it works.
`lynx https://www.gentoo.org/` seems to just work for me on lynx-.2.9.0_pre6. Closing as OBSOLETE. Please reopen or file a new bug if it's still broken for you.
Nothing has changed for me with lynx-.2.9.0_pre6. Trying to access https://www.gentoo.org/ fails with > SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n)
(In reply to Thomas Deutschmann from comment #5) > Nothing has changed for me with lynx-.2.9.0_pre6. > > Trying to access https://www.gentoo.org/ fails with > > > SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n) This does not happen for me with [ebuild R ~] www-client/lynx-2.9.0_pre6::gentoo USE="bzip2 gnutls* idn* ipv6 nls ssl (unicode) -cjk -libressl" 0 KiB Which might be a hint the problem is not in lynx itself. Please provide emerge --info and build.log. I'll try to check if my environment differs somehow. My net-libs/gnutls flags are: net-libs/gnutls-3.6.15::gentoo was built with the following: USE="cxx guile idn nls openssl seccomp tls-heartbeat -dane -doc -examples -pkcs11 -sslv2 -sslv3 -static-libs -test (-test-full) -tools -valgrind" ABI_X86="32 (64) (-x32)"
(In reply to Sergei Trofimovich from comment #6) > (In reply to Thomas Deutschmann from comment #5) > > Nothing has changed for me with lynx-.2.9.0_pre6. > > > > Trying to access https://www.gentoo.org/ fails with > > > > > SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n) Oh, things work for me only because `SSL_CERT_FILE` is set in my .bashrc.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f311f22b27bf4a70aaa5e28491e3867acceca366 commit f311f22b27bf4a70aaa5e28491e3867acceca366 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-01-27 08:28:29 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-01-27 08:28:42 +0000 www-client/lynx: use cert trust store for USE=gnutls lynx[gnutls] uses gnutls openssl compatibility API. The compatibility API is not intended to be a close implementation. Specifically it does not configure any default SSL stores and just uses NULL by default (no store). The change embeds default trust store path matching Gentoo's gnutls (and openssl) default: /etc/ssl/certs/ca-certificates.crt Reported-by: Thomas Deutschmann Closes: https://bugs.gentoo.org/604526 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> www-client/lynx/lynx-2.9.0_pre6-r1.ebuild | 105 ++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+)