I'am trying to generate certificate from Let's Encrypt It over certbot (package ver. 0.21.1.-1), but i'am getting error. I'am using webroot module.
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/certs/ca-certificates.crt
I don't have there file with this filename. Should i generate it, download?
Maybe /etc/ssl/certs/ca-certificates.crt is not exist.
Try running sudo update-ca-certificates to create it.
I ended up doing cd /etc/ssl/certs followed by cat *.pem >> ca-certificates.crt
Not the most elegant solution and you'll have to delete the file and redo it every time the ca-certificates package (or its dependents) update...
Try running sudo pacman -S ca-certificates to install the core certificates
For me, update-ca-trust did the trick.
It happens because the original ca-certificates.crt file is missing.
In my case, I removed it when adding a new certificate file containing my website.com as a CN (Common Name). Fortunately, I had a backup copy of that file.
If you have that file, just put it again in the directory:
/etc/ssl/certs/ca-certificates.crt
Or try to add a new one with the same name.
Related
I'm setting up a Kubernetes cluster and as part of that, I ran the following command (mentioned on official docs: https://kubernetes.io/docs/tasks/tools/install-kubectl/) :
sudo apt-get update && sudo apt-get install -y apt-transport-https
However, it fails with the following error:
Err:3 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, I fetch the certificate with this command :
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect packages.cloud.google.com:443) -scq > kubecertificate.crt
I get the following response :
verify error:num=20:unable to get local issuer certificate
DONE
But since I see content inside my kubecertificate.crt file , I go ahead and copy the certificate in /usr/local/share/ca-certificates/ directory.
Then I run:
update-ca-certificates
After updating my ca certificates bundle, I re run the first command mentioned.
It again fails with the server certificate verification failed error.
Please help me understand where am I going wrong? Is it because I'm unable to get the local issuer certificate? Please help.
Are you using i386 image or is there some firewall involved? If it is 64bit version of Xenial then it must be some kind of system issue.
Take a look at this case. Especially I would check the current system time date -R and apt-get install NTP as advised by #davidthings as I remember having similar problem. There is also a lot of different solutions which could help, listed in the linked case - check which one is applicable for your and update if you succeeded.
After that you can try with this, to download kubectl, kubelet and kubeadm (or edit it accordingly if you want just one)
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |
apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
I have been using git lots for the last few months. git push worked 12 hours ago now all attempts generate errors, with verbose it produces this:
GIT_CURL_VERBOSE=1 git push
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112... * Connected to github.com (192.30.253.112) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190
* Expire cleared
* Closing connection #0
fatal: unable to access 'https://github.com/waveney/wmff/': SSL connect error
Any bright ideas? No changes to server from when it worked to now, restart made no difference
I was having the same problem on various CentOS 6 VM's and it turned out to be an issue with stale curl and nss libraries (thanks to this thread for pointing me in the right direction: cURL SSL connect error 35 with NSS error -5961).
The fix that worked for me is just:
yum update -y nss curl libcurl
yum update -y worked for me to fix a fatal error when running git clone.
Had the same experience as OP, occurring for same reasons (Github's crypto removal notice of TlsV1, along with using a machine with a very old linux + git).
FWIW, if you find yourself on a very old version of linux, but you're stubbornly adamant you don't want to upgrade to a newer version of linux (hence instantly get a newer Git and all its deps), you could try build a newer Git, along with its dependencies from the source.
It's a time-consuming and painful path, and probably upgrading your linux is easier than this, but oh well, I just wanted to stick with my old linux.
I jotted a few notes of my attempt, hopefully it will help anyone that braves this path:
Git depended on openssl and curl, so I had to build those too
I had to upgrade my version of cmake in order to build the newer curl (building cmake took about 2-3 hours)
The newer cmake required me to build a newer gcc (which took about 21 hours to build on my old machine!)
Once I had cmake, I could build curl, but it referenced an older version of openssl (which did not have the newer TlsV1.2)
So I had to build a newer openssl, then followed by building curl (doing my utmost to assure the build referenced this newer openssl)
Then I could build Git, again, doing my best to assure it referenced the newer openssl and curl
I found myself repeatedly using "ldd" to confirm the referenced libraries, as on many occasions, the build would reference the wrong one, and I'd have to figure out how to enforce my desired path.
Some examples of this were:
# ldd /opt/git-2.27.0/libexec/git-core/git-http-fetch | grep -E "libssl|libcrypto|libcurl"
libcurl.so => /usr/local/lib/libcurl.so (0x00aed000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00e86000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00893000)
This helped me confirm 'git-http-fetch" was making using of my newer curl (at /usr/local/lib, and not /usr/lib), and my newer openssl (at /usr/local/ssl/lib, and not /usr/lib)
$ ldd /usr/local/bin/curl | grep -E "libssl|libcrypto"
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00110000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x0016f000)
This helped me confirm that my new 'curl' was referencing newer openssl (at /usr/local/ssl/lib, and not /usr/lib)
To enforce these paths, Git let you set these env-vars prior to building:
OPENSSLDIR=/usr/local/ssl/
CURLDIR=/usr/local/
For curl, I had to pass the openssl path via cmake:
cmake -DOPENSSL_ROOT_DIR=/usr/local/ssl .
For cmake, it also referenced openssl, and I passed that path across on its 'bootstrap' step:
./bootstrap --prefix=/opt/cmake-3.17.3 -- -DOPENSSL_ROOT_DIR=/usr/local/ssl
Apologies for the answer being all over the place. I can flesh it out with more detail if there is a request for it, but given that its taken me about a week to sort this out, I think most people will prefer the sane path of just upgrading your linux.
I am trying to add certificate Authority (CA) file name - ca.crt to /etc/ssl/certs, for that I followed this article.
I copied my ca.crt file to /etc/pki/ca-trust/source/anchors/ and run the command below;
update-ca-trust extract
After that I checked /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file, but I didn't find my CA.
I am not able to figure out what may be the problem.
What am I doing wrong and how can I fix it?
copy your certificates inside
/etc/pki/ca-trust/source/anchors/
then run the following command
update-ca-trust
Find *.pem file and place it to the anchors sub-directory or just simply link the *.pem file to there.
yum install -y ca-certificates
update-ca-trust force-enable
sudo ln -s /etc/ssl/your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem
update-ca-trust
Your CA file must have been in a binary X.509 format instead of Base64 encoding; it needs to be a regular DER or PEM in order for it to be added successfully to the list of trusted CAs on your server.
To proceed, do place your CA file inside your /usr/share/pki/ca-trust-source/anchors/ directory, then run the command line below (you might need sudo privileges based on your settings);
# CentOS 7, Red Hat 7, Oracle Linux 7
update-ca-trust
Please note that all trust settings available in the /usr/share/pki/ca-trust-source/anchors/ directory are interpreted with a lower priority compared to the ones placed under the /etc/pki/ca-trust/source/anchors/ directory which may be in the extended BEGIN TRUSTED file format.
For Ubuntu and Debian systems, /usr/local/share/ca-certificates/ is the preferred directory for that purpose.
As such, you need to place your CA file within the /usr/local/share/ca-certificates/ directory, then update the of trusted CAs by running, with sudo privileges where required, the command line below;
update-ca-certificates
QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
add it as a new file to directory /etc/pki/ca-trust/source/anchors/
run update-ca-trust extract
QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
add it as a new file to directory /etc/pki/ca-trust/source/
run update-ca-trust extract
More detail infomation see man update-ca-trust
Maybe late to the party but in my case it was RHEL 6.8:
Copy certificate.crt issued by hosting to:
/etc/pki/ca-trust/source/anchors/
Then:
update-ca-trust force-enable (ignore not found warnings)
update-ca-trust extract
Hope it helps
Complete instruction is as follow:
Extract Private Key from PFX
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes
Extract Certificate from PFX
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.pem
install certificate
yum install -y ca-certificates,
cp your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem ,
update-ca-trust ,
update-ca-trust force-enable
Hope to be useful
When attempting to run my app in production mode (after successfully compiling):
MIX_ENV=prod mix phoenix.server
I'm getting the following error:
** (EXIT) an exception was raised:
** (ArgumentError) could not start Cowboy adapter, the file /etc/letsencrypt/live/nhby.in/privkey.pem required by SSL's :keyfile does not exist
However that key does actually exist, at that location:
$ sudo ls /etc/letsencrypt/live/nhby.in/
cert.pem chain.pem fullchain.pem privkey.pem
The key location is defined in the config as per the docs:
keyfile: Path.expand("../../../../etc/letsencrypt/live/nhby.in/privkey.pem", __DIR__)
What's going wrong here?
Its long and not pretty, but it works:
sudo HELLO_WORLD_SSL_KEY_PATH="/etc/letsencrypt/live/example.com/privkey.pem" HELLO_WORLD_SSL_CERT_PATH="/etc/letsencrypt/live/example.com/cert.pem" HELLO_WORLD_SSL_CA_PATH="/etc/letsencrypt/live/example.com/chain.pem" PORT=4000 SECRET_KEY_BASE=tLWwWJ1KMQmtkjZjJ56oTPeP5o5Or23I0UMCskyvKxVvcylsayrCJ3N0soaB3KuQ MIX_ENV=prod mix phx.server
I am using CentOs 6.6 64bit, and have a problem when using curl. The server primarily hosts several wordpress blogs using apache and mysql.
My simplest means to generate the error is with the following yum command which outputs the below
yum list "ca-certi*"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 77 - "Problem with the SSL CA cert (path? access rights?)"
* base: cosmos.cites.illinois.edu
* epel: mirror.cogentco.com
* extras: mirrors.rit.edu
* updates: mirrors.rit.edu
Installed Packages
ca-certificates.noarch 2014.1.98-65.1.el6 #base
Soutions tried and failed so far based from googling around
1) I have tried restarting the VPS, no good
2) Executing curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt without any luck
3) This solution was no good at all, as it relies on yum to solve the SSL problem that yum also suffers http://syslint.com/syslint/curl-77-problem-with-the-ssl-ca-cert-path-access-rights-solved/
Can I run these yum steps to install with wget?, would you think it would help?
# yum reinstall ca-certificates
# yum reinstall openssl
I think virtualmin had installed some updates in the last 24 hours, is there a log of updates it ran somewhere?
Can anyone please help get around this "Problem with the SSL CA cert (path? access rights?)" problem.
TIA
More easy solution for centos 6/7. Remove ca and reinstall certificate.
rm -f /etc/ssl/certs/ca-bundle.crt && yum reinstall -y ca-certificates
Problem that if you just only reinstall certs. This will dont replace ca-bundle. Leave it new with .rpmnew name.
this worked for me :
centos 6
mkdir /usr/src/ca-certificates && cd /usr/src/ca-certificates
wget
http://mirror.centos.org/centos/6/os/x86_64/Packages/ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm
rpm2cpio ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm | cpio -idmv
cp -pi ./etc/pki/tls/certs/ca-bundle.* /etc/pki/tls/certs/
do yes to override
to check :
curl -vvv https://www.unixy.net
Solution from here
https://www.virtualmin.com/node/35857
nss-softokn breaks yum/rpm in CentOS 6 In order to fix it do the following:
wget http://mirror.centos.org/centos/6/updates/x86_64/Packages/nss-softokn-fr...
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
cd lib64
cp libfreeblpriv3.* /lib64
yum update # sync new repo package