Bug 597094

Summary:	dev-libs/libressl: unable to verify alternate chains
Product:	Gentoo Linux	Reporter:	Michelangelo Scopelliti <kernelpanic>
Component:	Current packages	Assignee:	Gentoo LibreSSL <libressl>
Status:	RESOLVED TEST-REQUEST
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/libressl-portable/portable/issues/80
See Also:	https://github.com/libressl-portable/portable/issues/80
Whiteboard:
Package list:		Runtime testing required:	---

Description Michelangelo Scopelliti 2016-10-14 07:49:21 UTC

fetching files for www-plugins/adobe-flash-23.0.0.185 fails with errors:

>>> Downloading 'https://fpdownload.adobe.com/pub/flashplayer/pdc/23.0.0.185/flash_player_ppapi_linux.i386.tar.gz'
--2016-10-14 09:23:10--  https://fpdownload.adobe.com/pub/flashplayer/pdc/23.0.0.185/flash_player_ppapi_linux.i386.tar.gz
Resolving fpdownload.adobe.com... 104.83.83.24
Connecting to fpdownload.adobe.com|104.83.83.24|:443... connected.
ERROR: cannot verify fpdownload.adobe.com's certificate, issued by ‘CN=Symantec
Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C
=US’:
  Unable to locally verify the issuer's authority.
To connect to fpdownload.adobe.com insecurely, use `--no-check-certificate'.
!!! Couldn't download 'adobe-flash-23.0.0.185.i386.tar.gz'. Aborting.

Downloading manually the files (via firefox) works; with wget and curl doesn't.

emerge --info

Portage 2.3.2 (python 2.7.12-final-0, default/linux/amd64/13.0, gcc-5.4.0, glibc-2.23-r2, 4.8.1 x86_64)
=================================================================
System uname: Linux-4.8.1-x86_64-AMD_A8-3870_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.3
KiB Mem:    15888068 total,  10589140 free
KiB Swap:   18874352 total,  18874352 free
Timestamp of repository gentoo: Fri, 14 Oct 2016 06:45:01 +0000
sh bash 4.4-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
app-shells/bash:          4.4-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.0-r1::gentoo
dev-lang/python:          2.7.12::gentoo, 3.5.2::gentoo
dev-util/cmake:           3.6.2::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.22.2::gentoo
sys-apps/sandbox:         2.10-r2::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            5.4.0::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.7::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.europe.gentoo.org/gentoo-portage
    priority: -1000

kernelpanic
    location: /usr/local/portage
    masters: gentoo

libressl
    location: /var/lib/layman/libressl
    sync-type: laymansync
    sync-uri: https://github.com/gentoo/libressl.git
    masters: gentoo
    priority: 50

science
    location: /var/lib/layman/science
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/sci.git
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA @EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -mtune=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -mtune=native -O2 -pipe"
DISTDIR="/var/portage/distfiles"
FCFLAGS="-march=native -mtune=native -O2 -pipe"
FEATURES="assume-digests binpkg-logs clean-logs compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -mtune=native -O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
INSTALL_MASK="/etc/systemd /usr/lib/systemd /usr/lib64/systemd"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl alsa amd64 ao berkdb blas bluetooth branding bzip2 cairo caps cli cracklib crypt cups curl cxx dbus djvu dri dts dv dvb dvd encode exif ffmpeg fftw flac fontconfig fortran gcj gdbm gif gimp gmp gpm gsm gstreamer iconv icu inotify ipv6 jbig jpeg jpeg2k lame lapack latex lcms libass libnotify libressl lzma lzo mad matroska mmap mms mmx mmxext mng modplug modules mp3 mpeg mpi multilib ncurses nls nptl nsplugin offensive ogg openexr opengl openmp pam pcre pdf png postscript raw readline scanner seccomp session smp sndfile sound sox speex sse sse2 ssl startup-notification svg theora threads tiff truetype udev unicode usb v4l vaapi vdpau vim-syntax vorbis wavpack wmf wxwidgets x264 xattr xcb xml xmp xpm xscreensaver xv xvid zlib" ABI_X86="32 64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="it en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="it en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_5" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby23" SANE_BACKENDS="xerox_mfp" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2016-10-14 10:31:24 UTC

If your system can't verify that certificate, then downloading adobe-flash is the least of your worries.

Comment 2 Michelangelo Scopelliti 2016-10-14 12:58:51 UTC

(In reply to Jeroen Roovers from comment #1)
> If your system can't verify that certificate, then downloading adobe-flash
> is the least of your worries.

Your comment is somehow... unexpected.
Yes, 3 of my 5 systems which showed the issue have a problem, but it turns out is not limited to my systems. The other two weren't updated, and the problem showed up when upgrading from ca-certificates-20160104.3.27.1 to ca-certificates-20160104.3.23: 

ca-certificates-20160104.3.27.1 is not able to verify the issuer's authority, ca-certificates-20160104.3.23 is; downgrading fixes the issue, apparently.

Maybe the bug has to be renamed, or re-filed, but I think that closing it could be hasty.

What do you think?

Comment 3 NHO 2016-10-26 08:20:43 UTC

Had same problem, downgrading solved it. Trying with ca-certificates-20160104.3.27.1-r1 soon

Comment 4 NHO 2016-10-26 08:23:44 UTC

(In reply to jy6x2b32pie9 from comment #3)
> Had same problem, downgrading solved it. Trying with
> ca-certificates-20160104.3.27.1-r1 soon

New package broke it, again.
Also, I have similar errors when using `youtube-dl` and `go get` from https://go.googlesource.com/tools/
It's very weird. Could it be caused by the fact that I am located in Russia?

Comment 5 NHO 2016-10-26 16:26:33 UTC

(In reply to jy6x2b32pie9 from comment #4)
> (In reply to jy6x2b32pie9 from comment #3)
> > Had same problem, downgrading solved it. Trying with
> > ca-certificates-20160104.3.27.1-r1 soon
> 
> New package broke it, again.
> Also, I have similar errors when using `youtube-dl` and `go get` from
> https://go.googlesource.com/tools/
> It's very weird. Could it be caused by the fact that I am located in Russia?

Should be noted, that I use libressl.
Also, most likely related:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213210

Comment 6 NHO 2016-10-26 16:34:16 UTC

I will search more before commenting.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213226 and https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213210

But most importantly, problem is known and described upstream in totality:
https://github.com/libressl-portable/portable/issues/80

Comment 7 Michelangelo Scopelliti 2016-12-06 19:59:36 UTC

With my current setup:

ca-certificates-20161102.3.27.2-r2
libressl-2.5.0

(and adobe-flash-24.0.0.170)

the issue didn't show up anymore, at least for me

Comment 8 SpanKY gentoo-dev

2016-12-07 08:44:18 UTC

doesn't look like a bug in ca-certificates

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2018-04-20 16:02:10 UTC

Please re-test as this should no longer be an issue.

Comment 10 Michelangelo Scopelliti 2018-11-13 09:25:34 UTC

(In reply to Aaron Bauman from comment #9)
> Please re-test as this should no longer be an issue.

Tested. It works.