You are not logged in.
After today's update on
ca-certificatesthe following error occured
sudo pacman -Syy
[sudo] password for becoming_i:
:: Synchronizing package databases...
error: failed retrieving file 'core.db' from archlinux32.agoctrl.org : SSL certificate problem: certificate rejected
error: failed retrieving file 'core.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
error: failed retrieving file 'core.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
core 152.8 KiB 283 KiB/s 00:01 [######################################] 100%
error: failed retrieving file 'extra.db' from archlinux32.agoctrl.org : SSL certificate problem: certificate rejected
error: failed retrieving file 'extra.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
error: failed retrieving file 'extra.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
extra 1980.4 KiB 469 KiB/s 00:04 [######################################] 100%
error: failed retrieving file 'community.db' from archlinux32.agoctrl.org : SSL certificate problem: certificate rejected
error: failed retrieving file 'community.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
error: failed retrieving file 'community.db' from archlinux32.vollzornbrot.de : SSL certificate problem: certificate rejected
community 4.7 MiB 315 KiB/s 00:15 [######################################] 100%also the output of
sudo pacman -Qkk ca-certificatesgave me this
ca-certificates: 0 total files, 0 altered filesany ideas or a potential fix?
Offline
Yes reproduced here, at least as far as the last test. I'll have to wait for some new package to become ready to download before I can reproduce the former issue, but at the present time it seem likely to be problematic.
For reference the ca-certificates pages depends on ca-certificates-mozilla, which in turn depends on ca-certificates-utils. Seems the ca-certificates package is just provided for convenience.
On second inspection: It does seem that it succeeds in the end, after some certificate errors on your system. Can you confiirm this? My system at least manages to download all of my currently selected mirrors at least as far as their modification date, and stops downloading them because they are new enough, but I'm not sure if this requires a good certificate or not.
Further edit: Now I've tested now most stuff's been pushed into the community repos. Nothing I personally use, but it downloaded the repo lists without error making me doubt my ability to reproduce your error report now. I do only use https repos in my mirrorlist, but they seem to be accepted without error. My first entry is mirror.archlinux32.org, for the ease of reproducibility, what's yours?
FWIW when I last scored my mirrorlist using rankmirrors, it found the vollzornbrot.de server to be unreachable, but the agoctrl.de got selected although placed third on my list of mirrors so not used when the first one worked fine.
Last edited by levi (2020-01-25 02:44:21)
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
FWIW what do you get when you go to http://archlinux32.agoctrl.org/ in your browser? That site works for me still, which suggests it should work in pacman as well.
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
You have to downgrade ca-certificated-mozilla. The CA certificates is completely borked or missing.
No SSL is working otherwise, also not in pacman, so this shows the importance of HTTP-only
mirrors. :-)
I wonder, what went wrong. I just remember I had this problem during bootstrapping i486
with the system certs and/or nss (which is used to rebuild the cert stores and also to
create the certificates in the first place presumably).
Offline
Hope, I fixed it. I made an announcement https://bbs.archlinux32.org/viewtopic.php?pid=236.
If you still experience problems, please report.
Offline
Hmm, I have no problems with https domains. If i did I'd have trouble even with the rss feed of this site's news posts I suspect, but I've no suggestions for a way round that. This site auto upgrades http connections to https it seems.
Yep, just did a fresh update, and while it updates python from https servers, there was no newer cacertificates or similar package waiting for me, so I'm pretty sure I'm on the newest one. For reference, I'm on ca-certificiates-mozilla version 3.47.1-2 built yesterday lunchtime. Hmm, is that the fixed version?
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
I'm on ca-certificates-mozilla 3.49.1-2.0.
But I also have a hunch it's not the version of ca-certificates-mozilla alone,
also nss and p11-kit have to be up-to-date, otherwise
the pacman hook might produce broken certs again
(p11-kit 0.23.19-1.0, nss 3.49.1-2.0).
But I'm no certificate expert, especially not in the dark corners of Netscape security. :-)
Offline
Sorry, yes, my version of ca-certificates-mozilla is 3.49.1-2.0 as well. Not sure how I didn't miss those typos above. I seem to have identical versions to p11-kit and nss as you and I've not experienced any service interruption yet. Perhaps I was lucky.
Edit: I'd have though if p11-kit or nss were broken you'd get more serious errors than just 'we can't trust this site', but the module descriptions don't inspire me with confidence that I understand how it all fits together even at a high level.
Last edited by levi (2020-01-26 18:31:01)
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline