Hello, I've check my /etc/ssl dir, I have Thawte certificates. Seems that curl is getting crazy: curl -I https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git curl: (60) Peer certificate cannot be authenticated with given CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. host git.kernel.org git.kernel.org is an alias for git.us.kernel.org. git.us.kernel.org has address 149.20.4.72 eix -I curl [I] net-misc/curl Available versions: 7.21.4 (~)7.21.6 (~)7.21.7 (~)7.21.7-r2 (~)7.22.0 {ares gnutls idn ipv6 kerberos ldap libssh2 nss ssl static-libs test threads} Installed versions: 7.22.0(08:00:10 AM 09/20/2011)(ipv6 ldap libssh2 nss ssl threads -ares -gnutls -idn -kerberos -static-libs -test) Homepage: http://curl.haxx.se/ Description: A Client that groks URLs Reproducible: Always Actual Results: curl is unable to handle SSL certificate properly. Expected Results: well... should work ;). Portage 2.1.10.28 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.13-r4, 3.0.4by-tengu x86_64) ================================================================= System uname: Linux-3.0.4by-tengu-x86_64-Intel-R-_Xeon-R-_CPU_X3440_@_2.53GHz-with-gentoo-2.1 Timestamp of tree: Tue, 18 Oct 2011 06:30:01 +0000 app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/cmake: 2.8.5-r2 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1-r1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo location: /usr/portage sync: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 yarik-overlay location: /var/lib/layman/yarik-overlay masters: gentoo priority: 0 akoya location: /var/lib/layman/akoya masters: gentoo priority: 1 x-portage location: /usr/local/portage masters: gentoo priority: 2 ABI="amd64" ACCEPT_KEYWORDS="amd64 ~amd64 ~x86" ACCEPT_LICENSE="*" ACCEPT_PROPERTIES="*" ALSA_CARDS="usb-usx2y usb-audio usb-audio-us1221" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare empty extplug file hooks iec958 ioplug lfloat linear meter multi null plug rate route share shm softvol dsnoop ladspa mmap_emul mulaw" ANT_HOME="/usr/share/ant" APACHE2_MODULES="" ARCH="amd64" AUTOCLEAN="yes" CALLIGRA_FEATURES="" CAMERAS="" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CFLAGS_x86="-m32" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x86="i686-pc-linux-gnu" CLEAN_DELAY="5" COLLECTD_PLUGINS="" COLLISION_IGNORE="/lib/modules" COLORFGBG="default;default" COLORTERM="rxvt-xpm" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/lib/hsqldb hostname hosts keymaps" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe" DEFAULT_ABI="amd64" DESKTOP_STARTUP_ID="awesome/urxvt/5661-0-cholatse_TIME39553" DISPLAY=":0.0" DISTDIR="/home/distfiles/" EDITOR="vim" ELIBC="glibc" EMERGE_DEFAULT_OPTS="-qv" EMERGE_WARNING_DELAY="10" EPREFIX="" EROOT="/" FCFLAGS="" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news nodoc noinfo parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FETCHCOMMAND="/usr/bin/wget -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" FETCHCOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" FETCHCOMMAND_SFTP="bash -c "x=\${2#sftp://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec sftp -P \${port} \"\${host}:/\${x#*/}\" \"\$1\"" sftp "${DISTDIR}/${FILE}" "${URI}"" FETCHCOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}"" FFLAGS="" GCC_SPECS="" GDK_USE_XFT="1" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/" GPSD_PROTOCOLS="" GRUB_PLATFORMS="" GSETTINGS_BACKEND="dconf" HG="/usr/bin/hg" HOME="/home/cjeanneret" INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/info" INPUT_DEVICES="evdev keyboard mouse" JAVAC="/etc/java-config-2/current-system-vm/bin/javac" JAVACC_HOME="/usr/share/javacc/" JAVA_HOME="/etc/java-config-2/current-system-vm" JDK_HOME="/etc/java-config-2/current-system-vm" KDIR="/usr/src/linux" KERNEL="linux" LANG="en_US.UTF-8" LCD_DEVICES="" LC_ALL="en_US.UTF-8" LC_NUMERIC="fr_CH.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LDFLAGS_x86="-m elf_i386" LESS="-R -M --shift 5 -I" LESSOPEN="|lesspipe %s" LIBDIR_amd64="lib64" LIBDIR_amd64_fbsd="lib64" LIBDIR_ppc="lib32" LIBDIR_ppc64="lib64" LIBDIR_s390="lib32" LIBDIR_s390x="lib64" LIBDIR_sparc32="lib32" LIBDIR_sparc64="lib64" LIBDIR_x86="lib32" LIBDIR_x86_fbsd="lib32" LINGUAS="fr en de it" LOGNAME="cjeanneret" MAIL="/var/spool/mail/cjeanneret" MAKEOPTS="-j6" MANPATH="/etc/java-config-2/current-system-vm/man:/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.21.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.5.3/man:/etc/java-config/system-vm/man/" MULTILIB_ABIS="amd64 x86" MULTILIB_STRICT_DENY="64-bit.*shared object" MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib" MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage|udev)" NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OLDPWD="/home/cjeanneret" OPENGL_PROFILE="nvidia" PAGER="less" PATH="/opt/APPGclnt/bin:/home/cjeanneret/scripts:/sbin:/usr/sbin:/mnt/ubuntu/opt/openerp-client/:/usr/lib64/ruby/gems/1.8/gems/capistrano-2.2.0/bin/:/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3:/opt/vmware/bin:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/asterisk:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/dhcp:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/epnet:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/ldap:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/misc:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/openvz:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/project:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/puppet:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/revelation:/home/cjeanneret/nobackup/subversions/c2c_mgmtsrv/script/vuache" PHP_TARGETS="" PKGDIR="/usr/portage/packages" PORTAGE_ARCHLIST="ppc sparc64-freebsd ppc-openbsd x86-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd x86-cygwin amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd" PORTAGE_BINHOST_CHUNKSIZE="3000" PORTAGE_BIN_PATH="/usr/lib64/portage/bin" PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png" PORTAGE_CONFIGROOT="/" PORTAGE_DEBUG="0" PORTAGE_DEPCACHEDIR="/var/cache/edb/dep" PORTAGE_ELOG_CLASSES="log warn error" PORTAGE_ELOG_MAILFROM="portage@localhost" PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}" PORTAGE_ELOG_MAILURI="root" PORTAGE_ELOG_SYSTEM="save_summary echo" PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5" PORTAGE_FETCH_RESUME_MIN_SIZE="350K" PORTAGE_GID="250" PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --clearsign --yes --default-key "${PORTAGE_GPG_KEY}" --homedir "${PORTAGE_GPG_DIR}" "${FILE}"" PORTAGE_INST_GID="0" PORTAGE_INST_UID="0" PORTAGE_PYM_PATH="/usr/lib64/portage/pym" PORTAGE_QUIET="1" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_RSYNC_RETRIES="-1" PORTAGE_SANDBOX_COMPAT_LEVEL="16" PORTAGE_SYNC_STALE="30" PORTAGE_TMPDIR="/var/tmp" PORTAGE_VERBOSE="1" PORTAGE_WORKDIR_MODE="0700" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/yarik-overlay /var/lib/layman/akoya /usr/local/portage" PORT_LOGDIR_CLEAN="find "${PORT_LOGDIR}" -type f ! -name "summary.log*" -mtime +7 -delete" PRELINK_PATH_MASK="/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so" PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND" PWD="/home/cjeanneret" PYTHONDONTWRITEBYTECODE="1" QEMU_SOFTMMU_TARGETS="i386 x86_64" RESUMECOMMAND="/usr/bin/wget -c -t 3 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}"" RESUMECOMMAND_RSYNC="rsync -avP "${URI}" "${DISTDIR}/${FILE}"" RESUMECOMMAND_SSH="bash -c "x=\${2#ssh://} ; host=\${x%%/*} ; port=\${host##*:} ; host=\${host%:*} ; [[ \${host} = \${port} ]] && port=22 ; exec rsync --rsh=\"ssh -p\${port}\" -avP \"\${host}:/\${x#*/}\" \"\$1\"" rsync "${DISTDIR}/${FILE}" "${URI}"" ROOT="/" ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.5.3:/opt/vmware/bin" RPMDIR="/usr/portage/rpm" RUBY_TARGETS="ruby18" SHELL="/bin/zsh" SHLVL="2" SSH_AGENT_PID="5757" SSH_AUTH_SOCK="/home/cjeanneret/.ssh/agent" STAGE1_USE="multilib nptl nptlonly unicode" SYMLINK_LIB="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" TERM="rxvt" USE="X accessibility alsa amd64 archive bash-completion bzip2 cairo cracklib crypt cups dbus dhclient djvu dri faac faad flac fuse gif gnutls gstreamer gtk introspection ipv6 java jpeg jpeg2k lame lzo mad mp3 mpeg mpg123 multilib ncurses nls offensive ogg pam pcre png policykit python qt3support readline resolvconf samba smbclient sound spell ssl svg svgi taglib theora threads threadsafe tiff truetype udev unicode vdpau vim-syntax vorbis x264 xinerama xml zlib zsh-completion" ALSA_CARDS="usb-usx2y usb-audio usb-audio-us1221" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare empty extplug file hooks iec958 ioplug lfloat linear meter multi null plug rate route share shm softvol dsnoop ladspa mmap_emul mulaw" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LINGUAS="fr en de it" QEMU_SOFTMMU_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XFCE_PLUGINS="trash logout" USER="cjeanneret" USERLAND="GNU" USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CALLIGRA_FEATURES CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DRACUT_MODULES DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS GPSD_PROTOCOLS GRUB_PLATFORMS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES NGINX_MODULES_HTTP NGINX_MODULES_MAIL OFED_DRIVERS PHP_TARGETS QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS XFCE_PLUGINS XTABLES_ADDONS" USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND" USE_ORDER="env:pkg:conf:defaults:pkginternal:repo:env.d" VBOX_APP_HOME="/usr/lib64/virtualbox" VIDEO_CARDS="nvidia" WINDOWID="20971595" XAUTHORITY="/home/cjeanneret/.Xauthority" XDG_CONFIG_DIRS="/etc/xdg" XDG_DATA_DIRS="/usr/local/share:/usr/share" XFCE_PLUGINS="trash logout" XSESSION="Gnome" XTABLES_ADDONS="" _="/usr/bin/emerge" _JAVA_AWT_WM_NONREPARENTING="1"
Found out what was the problem: I installed thunderbird-bin, which wants curl use "nss". "nss" use blocks "gnutls" use... Solution: as I don't use thunderbird, I removed it, removed "nss" use from curl, and added "gnutls" instead. Now my curl is working fine with tls/ssl hosts.
I wonder if you're seeing https://bugzilla.mozilla.org/show_bug.cgi?id=531160 here
*** Bug 389441 has been marked as a duplicate of this bug. ***
perhaps a dupe of bug 380119 ...
(In reply to comment #1) > Found out what was the problem: > > I installed thunderbird-bin, which wants curl use "nss". > "nss" use blocks "gnutls" use... > > Solution: > as I don't use thunderbird, I removed it, removed "nss" use from curl, and > added "gnutls" instead. > > Now my curl is working fine with tls/ssl hosts. I just tested this with curl-7.24.0 with the following flags: USE="ipv6 ldap (multilib) nss ssl static-libs threads -ares -gnutls -idn -kerberos -ssh -test" Then I removed nss and added gnutls In both cases, curl -I https://git.kernel.org/ gave HTTP/1.1 200 OK Date: Sat, 24 Mar 2012 18:26:36 GMT Server: Apache/2.2.22 (Fedora) Content-Type: text/html; charset=utf-8 I wonder if this is related to bug #403619.
(In reply to comment #5) > (In reply to comment #1) > > Found out what was the problem: > > > > I installed thunderbird-bin, which wants curl use "nss". > > "nss" use blocks "gnutls" use... > > > > Solution: > > as I don't use thunderbird, I removed it, removed "nss" use from curl, and > > added "gnutls" instead. > > > > Now my curl is working fine with tls/ssl hosts. > > I just tested this with curl-7.24.0 with the following flags: > > USE="ipv6 ldap (multilib) nss ssl static-libs threads -ares -gnutls -idn > -kerberos -ssh -test" > > Then I removed nss and added gnutls > > In both cases, curl -I https://git.kernel.org/ gave > > HTTP/1.1 200 OK > Date: Sat, 24 Mar 2012 18:26:36 GMT > Server: Apache/2.2.22 (Fedora) > Content-Type: text/html; charset=utf-8 > > > I wonder if this is related to bug #403619. Your testing is flaw'd, if you have ssl enabled it will default over nss and gnutls.
(In reply to comment #6) > Your testing is flaw'd, if you have ssl enabled it will default over nss and > gnutls. Okay USE="-ssl -gnutls nss" hits it: # curl -I https://git.kernel.org/ --trace -v curl: (77) Problem with the SSL CA cert (path? access rights?) Jory, is this a problem in nss?
(In reply to comment #7) > (In reply to comment #6) > > Your testing is flaw'd, if you have ssl enabled it will default over nss and > > gnutls. > > Okay USE="-ssl -gnutls nss" hits it: > > # curl -I https://git.kernel.org/ --trace -v > curl: (77) Problem with the SSL CA cert (path? access rights?) > > Jory, is this a problem in nss? @Anarchy, dev-libs/nss-3.13.3 from the mozilla overlay fixes it. Thanks. nss-3.13.3_pem.support patch did it.
3.13.4 has support for pem, I will conmtinue to support pem via fedora patches that are appropriate for gentoo.