Opened 6 years ago

Closed 5 years ago

Last modified 4 years ago

#10016 closed bug (fixed)

[Haiku PM] wget certificate issue

Reported by: Giova84 Owned by: kallisti5
Priority: critical Milestone: R1/beta1
Component: Applications/Command Line Tools Version: R1/Package Management
Keywords: wget certificate issue Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All


On Haiku i use a bash script to check new emails on Gmail, this script use wget to grab the feed from Gmail, and then use "notify" to notify me if new mail are present. On the current branch of Haiku it works properly, but on Haiku PM i always got an error when wget is running:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:10:28--
Connecting to||:443... connected.
ERROR: cannot verify's certificate, issued by `/C=US/O=Google Inc/CN=Google Internet Authority G2':
  Unable to locally verify the issuer's authority.
To connect to insecurely, use `--no-check-certificate'.

Instead this is the correct process on current Haiku:

~> wget --secure-protocol=TLSv1 --user=$usr --password=$pass -O - > /boot/common/cache/tmp/gmail.tmp
--2013-09-24 23:13:03--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/xml]
Saving to: `STDOUT'

    [ <=>                              ] 351         --.-K/s   in 0s      

2013-09-24 23:13:03 (335 MB/s) - written to stdout [351]

Change History (12)

comment:1 Changed 6 years ago by bonefish

I suspect the cause of the issue is that the root CA certificates which were formerly installed in /boot/common have moved to /boot/system with PM and the old path was still used somewhere. With hrev46167 /boot/common is gone and various paths have been adjusted. So please check whether the issue is solved now.

comment:2 Changed 6 years ago by Giova84

hrev46179 This issue is still here.

comment:3 Changed 6 years ago by Giova84

Just for the record: this issue is still present in hrev46276

comment:4 Changed 6 years ago by diver

Owner: changed from nobody to kallisti5
Platform: x86All
Status: newassigned

AFAIK kallisti5 was going to fix it :-)

comment:5 Changed 5 years ago by kallisti5

Milestone: R1R1/alpha5

comment:6 Changed 5 years ago by pulkomandy

The issue is the OpenSSL port looking for cert.pem, but we name the file CARootCertificates.pem. Possible fix part of this huge pull request:

Renaming the certificate file would also work.

comment:7 Changed 5 years ago by kallisti5

Priority: normalcritical

setting this to critical as PM uses a lot of https to pull SRC'es.

comment:8 Changed 5 years ago by kallisti5

Status: assignedin-progress

I have a patchset for 1.0.1h. Doing testing and will upload a new recipe over the next few days. Long term i'd like to see us move away from openssl as the code smells horrible (libressl is nice once the OpenBSD centric stuff is removed, or maybe Mozilla's nss)

comment:9 Changed 5 years ago by pulkomandy

... or GnuTLS, or PolarSSL, or CyaSSL. Who wants to write recipes for them?

comment:10 Changed 5 years ago by kallisti5

Found the source of this issue.

We are putting our CA certificate in /boot/system/data/ssl/ vs /boot/system/data/ssl/certs/

curl and wget were "fixed" via and

The wget hack to give this new path is a settings file.. however that won't be picked up by wget running within haikuporter as it is a chroot.

We need to see if moving the certificate to certs fixes the issue and enables us to drop the hacks.

comment:11 Changed 5 years ago by waddlesplash

Resolution: fixed
Status: in-progressclosed

OpenSSL configuration was changed, fixing the problem on other apps (e.g. QupZilla).

comment:12 Changed 4 years ago by pulkomandy

Milestone: R1/alpha5R1/beta1
Note: See TracTickets for help on using tickets.