Github's SSL Cert does not work in Git/Wget

[jrabbit]

​https://gist.github.com/1032665 ​https://gist.github.com/1032667

Should just need to add the godaddy root certificate?

[jrabbit]

Steps to reproduce: 1 . git clone ​https://github.com/libgit2/libgit2.git [Any https url] Expected result: git cloning

Error: error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing ​https://github.com/libgit2/libgit2.git/info/refs

Problem is in Haiku's ssl certs.

[mmadia]

Occurs in R1/A3 release candidate images. Given that we're expecting to migrate to git shortly after this release, setting this ticket as a blocker.

[mmadia]

An example for wget's failure:

~/Desktop> wget https://dev.haiku-os.org/chrome/site/logo.png
--2011-06-17 21:16:09--  https://dev.haiku-os.org/chrome/site/logo.png
Resolving dev.haiku-os.org... 188.40.89.174
Connecting to dev.haiku-os.org|188.40.89.174|:443... connected.
ERROR: cannot verify dev.haiku-os.org's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA':
  Unable to locally verify the issuer's authority.
To connect to dev.haiku-os.org insecurely, use `--no-check-certificate'.

[jrabbit]

This now affects all ssl-enabled command line tools not just ones with github's ssl.

[mmadia]

Could this be due to the /boot/common/ssl/certs/cacert.pem , which is included in WebPositive?

[mmadia]

From IRC, it appears that applications are looking in a different directory than where the certificate file is located.

~/Desktop> strace wget https://dev.haiku-os.org/chrome/site/logo.png | grep /boot/common
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libroot-addon-icu.so", true, 0x7ffecf24, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicudata.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (22 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicui18n.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicuio.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (21 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicule.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (19 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libiculx.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (1107 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicutu.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (23 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/lib/libicuuc.so.44", true, 0x7ffecea4, 0x58) = 0x80006003 No such file or directory (24 us)
--2011-06-18 11:45:59--  https://dev.haiku-os.org/chrome/site/logo.png
Resolving dev.haiku-os.org... 188.40.89.174
Connecting to dev.haiku-os.org|188.40.89.174|:443... connected.
ERROR: cannot verify dev.haiku-os.org's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA':
  Unable to locally verify the issuer's authority.
To connect to dev.haiku-os.org insecurely, use `--no-check-certificate'.
[ 24726] _kern_open(0xffffffff, "/boot/common/data/cert.pem", 0x0, 0x0) = 0x80006003 (31 us)
[ 24726] _kern_open(0xffffffff, "/boot/common/settings/network/resolv.conf", 0x0, 0x0) = 0x00000003 (14 us)
[ 24726] _kern_read_stat(0xffffffff, "/boot/common/data/certs/ae8153b9.0", true, 0x7ffee558, 0x58) = 0x80006003 No such file or directory (29 us)
~/Desktop>

As a work-around,

cp /boot/common/ssl/certs/cacert.pem /boot/common/data/cert.pem

[mmadia]

Could this simply be added to the Alpha 3 Release Addendum and call it a day?

command line applications fail on SSL secured sites

• Error Message: ERROR: cannot verify <host>'s certificate, issued by `/C....':
• Reproduction: wget https://... or git clone https://....
• Resolution: The following commands will symlink the certificates file into the correct location.

    ln -sf /boot/common/ssl/certs/cacert.pem /boot/common/data/cert.pem
  

[jrabbit]

I guess it could be postponed, anyone who'd be digging into cli commands could find irc or the addendum. Maybe a faster release of another Alpha could cover it.

[HaikuReactOSTrac]

Should this ticket be moved to R1/beta1?

[aperture]

The problem is related to openssl, not git or wget. Openssl locates itself under Gentoo standards (using haikuporter or Haiku) in /boot/common/data/ssl, while the regular cacert files are located in /boot/common/ssl , thus having the issue of not finding the right file.

Adding the line of code will fix the issue, but inevitably we still have two ssl files, one in the commmon directory, one in the data directory. The only folder in the common directory is certs with that cacert.pem file, suggesting it was a fix at some time. Since many applications depend on it (Webpositive, IRC), we cannot simply move it without causing disruption. Openssl can be configured to live in that folder, but openssl imposes its own certs.pem file to look for, which I cannot see any configuration for in compiling the program. The most probable course of action is moving openssl and having it recognize cacert as cert. wget and git would still work when the openssl is compiled and moved to /boot/common/ssl .

[mmadia]

Curl, WebPositive, and a new certificates file were updated/added in hrev43758. New tickets can be opened if any additional optional packages fail to pick up the certificates file.