Opened 8 years ago

Closed 7 years ago

#7707 closed bug (fixed)

Github's SSL Cert does not work in Git/Wget

Reported by: jrabbit Owned by: scottmc
Priority: blocker Milestone: R1/alpha4
Component: Network & Internet Version: R1/Development
Keywords: ssl, github Cc: stippi, scottmc
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

https://gist.github.com/1032665 https://gist.github.com/1032667

Should just need to add the godaddy root certificate?

Change History (14)

comment:1 Changed 8 years ago by jrabbit

Steps to reproduce:

1 . git clone https://github.com/libgit2/libgit2.git [Any https url]

Expected result: git cloning

Error: error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/libgit2/libgit2.git/info/refs

Problem is in Haiku's ssl certs.

Last edited 8 years ago by jrabbit (previous) (diff)

comment:2 Changed 8 years ago by mmadia

Priority: normalblocker

Occurs in R1/A3 release candidate images. Given that we're expecting to migrate to git shortly after this release, setting this ticket as a blocker.

comment:3 Changed 8 years ago by mmadia

An example for wget's failure:

~/Desktop> wget https://dev.haiku-os.org/chrome/site/logo.png
--2011-06-17 21:16:09--  https://dev.haiku-os.org/chrome/site/logo.png
Resolving dev.haiku-os.org... 188.40.89.174
Connecting to dev.haiku-os.org|188.40.89.174|:443... connected.
ERROR: cannot verify dev.haiku-os.org's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA':
  Unable to locally verify the issuer's authority.
To connect to dev.haiku-os.org insecurely, use `--no-check-certificate'.

comment:4 Changed 8 years ago by jrabbit

This now affects all ssl-enabled command line tools not just ones with github's ssl.

comment:5 Changed 8 years ago by mmadia

Milestone: R1R1/alpha3

Could this be due to the /boot/common/ssl/certs/cacert.pem , which is included in WebPositive?

comment:6 Changed 8 years ago by mmadia

Cc: stippi scottmc added

comment:7 Changed 8 years ago by mmadia

From IRC, it appears that applications are looking in a different directory than where the certificate file is located.

~/Desktop> strace wget https://dev.haiku-os.org/chrome/site/logo.png | grep /boot/common
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libroot-addon-icu.so", true, 0x7ffecf24, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicudata.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (22 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicui18n.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicuio.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (21 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicule.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (19 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libiculx.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (1107 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicutu.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicuuc.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (24 us)
--2011-06-18 11:45:59--  https://dev.haiku-os.org/chrome/site/logo.png
Resolving dev.haiku-os.org... 188.40.89.174
Connecting to dev.haiku-os.org|188.40.89.174|:443... connected.
ERROR: cannot verify dev.haiku-os.org's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA':
  Unable to locally verify the issuer's authority.
To connect to dev.haiku-os.org insecurely, use `--no-check-certificate'.
[ 24726] _kern_open(0xffffffff, "/boot/common/data/cert.pem", 0x0, 0x0) = 0x80006003 (31 us)
[ 24726] _kern_open(0xffffffff, "/boot/common/settings/network/resolv.conf", 0x0, 0x0) = 0x00000003 (14 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/data/certs/ae8153b9.0", true, 0x7ffee558, 0x58) = 0x80006003 No such file or directory (29 us)
~/Desktop>

As a work-around,

cp /boot/common/ssl/certs/cacert.pem /boot/common/data/cert.pem

comment:8 Changed 8 years ago by mmadia

Could this simply be added to the Alpha 3 Release Addendum and call it a day?

command line applications fail on SSL secured sites

  • Error Message: ERROR: cannot verify <host>'s certificate, issued by `/C....':
  • Reproduction: wget https://... or git clone https://....
  • Resolution: The following commands will symlink the certificates file into the correct location.
      ln -sf /boot/common/ssl/certs/cacert.pem /boot/common/data/cert.pem
    

comment:9 Changed 8 years ago by jrabbit

I guess it could be postponed, anyone who'd be digging into cli commands could find irc or the addendum. Maybe a faster release of another Alpha could cover it.

comment:10 Changed 8 years ago by HaikuReactOSTrac

Should this ticket be moved to R1/beta1?

comment:11 Changed 8 years ago by mmadia

Owner: changed from nobody to scottmc
Status: newassigned

comment:12 Changed 8 years ago by aperture

The problem is related to openssl, not git or wget. Openssl locates itself under Gentoo standards (using haikuporter or Haiku) in /boot/common/data/ssl, while the regular cacert files are located in /boot/common/ssl , thus having the issue of not finding the right file.

Adding the line of code will fix the issue, but inevitably we still have two ssl files, one in the commmon directory, one in the data directory. The only folder in the common directory is certs with that cacert.pem file, suggesting it was a fix at some time. Since many applications depend on it (Webpositive, IRC), we cannot simply move it without causing disruption. Openssl can be configured to live in that folder, but openssl imposes its own certs.pem file to look for, which I cannot see any configuration for in compiling the program. The most probable course of action is moving openssl and having it recognize cacert as cert. wget and git would still work when the openssl is compiled and moved to /boot/common/ssl .

Last edited 8 years ago by aperture (previous) (diff)

comment:13 Changed 7 years ago by mmadia

Milestone: R1/alpha3R1/alpha4

comment:14 Changed 7 years ago by mmadia

Resolution: fixed
Status: assignedclosed

Curl, WebPositive, and a new certificates file were updated/added in hrev43758. New tickets can be opened if any additional optional packages fail to pick up the certificates file.

Note: See TracTickets for help on using tickets.