bootstrap fails due to a certificate mismatch - certificate

When running ./bootstrap in a freshly-cloned repository (https://github.com/coreutils/coreutils), it seems to either
not find some files it wants to or doesn't trust https://translationproject.org.
./bootstrap: Bootstrapping from checked-out coreutils sources...
./bootstrap: consider installing git-merge-changelog from gnulib
./bootstrap: getting gnulib files...
Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib'
Cloning into '/home/vagrant/coreutils/gnulib'...
Submodule path 'gnulib': checked out '0ac98783691bbf8212537ebe18ddb68feb22a760'
./bootstrap: getting translations into po/.reference for coreutils...
ERROR: The certificate of 'translationproject.org' is not trusted.
ERROR: The certificate of 'translationproject.org' has expired.
So what I am going to do to make the certificate be trusted by my system and make it compilatioin successfully?

First, to get the certificate:
wget --mirror --level=1 -nd -v -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/
and then make the certificate trusted:
a) ask openssl to trust:
openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null
b) ask cert tool to trust
certtool --verbose --verify --infile=/tmp/translationproject.org.certs
Finally, you can use ./bootstrap sucessfully.

Related

Exporting https certificate fails with 'dotnet dev-certs' tool

I am trying to use the 'dotnet dev-certs' tool to export an https certificate to include with a Docker image. Right now I am using:
dotnet dev-certs https -v -ep $(HOME)\.aspnet\https -p <password>
and I get the error:
Exporting the certificate including the private key.
Writing exported certificate to path 'xxx\.aspnet\https'.
Failed writing the certificate to the target path
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
An error ocurred exporting the certificate.
Exception message: Access to the path 'xxx\.aspnet\https' is denied.
There was an error exporting HTTPS developer certificate to a file.
The problem I see is that no matter what path I supply to export the certificate to I get the same 'Access to the path is denied' error. What am I missing? I know this command has been suggested in numerous places. But I cannot seem to get it to work.
Thank you.
The export path should specify a file, not a directory. This fixed the issue for me on Mac:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p <password>
For Ubuntu users:
install libnss3-tools:
sudo apt-get update -y
sudo apt-get install -y libnss3-tools
create or verify if the folder below exists on machine:
$HOME/.pki/nssdb
export the certificate:
dotnet dev-certs https -v -ep ${HOME}/.aspnet/https/aspnetapp.pfx
Run the following commands:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n localhost -i /home/<REPLACE_WITH_YOUR_USER>/.aspnet/https/aspnetapp.pfx
exit and restart the browser
Source: https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#ssl-linux
For me the problem was I was using .Net 5 under CentOS 7.8. Uninstalling .Net 5 and using .Net Core 3.1 SDK instead solved the problem.

Skip wget certificate checking in opam

I just updated to opam 2, on a very old MacBook which I cannot update (running OS X 10.6.8), and which is missing some important packages related to certificate validation (and due to missing tools, I cannot even update Homebrew, because it requires certification... kind of a circular problem).
I would like to update opam without checking certificates, since otherwise I get the following error:
<><> Updating package repositories ><><><><><><><><><><><><><><><><><><><><> 🐫
[ERROR] Could not update repository "default":
OpamDownload.Download_fail(_, "Download command failed:
\"/usr/local/bin/wget --content-disposition -t 3 -O
/private/tmp/opam-17621-5a61c5/index.tar.gz.part
https://opam.ocaml.org/1.2.2/index.tar.gz -U opam/2.0.0\"
exited with code 5
\"ERROR: cannot verify opam.ocaml.org's certificate, issued by
'CN=Let\\'s Encrypt Authority X3,O=Let\\'s Encrypt,C=US':\"")
I was just able to upgrade from 1.2.2 to opam 2.0.0, but now I cannot do opam update. And without it, there's not much I can do.
Is there a way to pass option --no-check-certificate to the wget command used by opam without having to recompile it myself?
Fix your wget instead. Looks like it's missing a recent CA bundle.
First, check where it looks for the bundle -
$ strace wget -O /dev/null https://github.com 2>&1 | grep cert
read(3, "eting an end user certificate as"..., 4096) = 2806
read(5, "eting an end user certificate as"..., 4096) = 2806
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
Then copy Mozilla's .pem bundle to match the expected .pem path.
If you're on a system that lacks strace or there's simply no mention of a CA bundle location in the output, then try creating a .wgetrc, and add
ca_certificate = /path/to/your/ca-bundle.pem
Save as $HOME/.wgetrc.
wget should then be able to validate the Let's Encrypt cert.
More on .wgetrc at http://gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html

Why does creating my self signing certificate fail?

I am trying to generate a self signing certificate but am unable to accomplish it. I am using this command to create a self signing certificate authority:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Which by all accounts works, and I can view the new entry under the Trusted Root Certification Authorities.
Next I use the following command to create a signing certificate:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer
But the command fails with:
Error: Can't load the issuer certificate ('root1.cer')
Failed
I was of the impression that the -ic switch would create the root1.cer file, but the error seems to indicate that it can't load it? Where am I going wrong with this?
When attempting to creating a Self Signed Certificate it does not require another certificate to generate it. Because as the name states, it is Self Signed (it is signed by the private key that belongs to the public key it contains).
When creating a common certificate you should provide a parent to make use of it. When verifying authenticity of this child certificate you should also have the parent certificate installed on your machine. This is the concept of Chain Trust.
See in your 'Local Machine' store, under trusted root certificates, you should have .cer from many Authority Agencies, such as Verisign for instance.
-iv Stands for Issuer's Private Key. (Parent .pvk)
-ic Stands for Issuer's Certificate. (Parent .cer)
In your first command, you created root.cer.
makecert [...] -r -sv root.pvk root.cer -ss Root -sr localMachine
In your second command, you told it that the issuer certificate was in root1.cer (with the parameter "-ic root1.cer"). That is what led to the error message that it could not find root1.cer.
So, change the 'root1.cer' in the second command to 'root.cer'. It should look like this:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv powershelluser.pvk powershelluser.cer
This does the following:
Generates a new key, placing it in powershelluser.pvk.
Uses the key in root.pvk to sign the new certificate, and uses the information in root.cer to set the Issuer of that new certificate.
Writes the new certificate to powershelluser.cer, and also writes it to the "Personal" certificates store in CurrentUser.

How to generate certificate file for svn server, and import

I would like to use svn server to share source code in a repository among computers on a home network. I have svnserver and openssl installed on the computer with the repository. Can someone give me step by step instructions on generating a certificate, incorporating into svnserver, putting the certificate on the other computers, and accessing the repository from eclipse.
The computers are running versions of windows.
I'm following the steps at
http://community.spiceworks.com/how_to/show/1469-how-to-become-your-own-certificate-authority-and-secure-spiceworks
and have put the following commands into a script file for cygwin
# Generate CA root certificate
openssl req -new -x509 -extensions v3_ca \
-keyout cakey.pem -out cacert.pem -days 3650
# Move to /etc/ssl
mv cakey.pem /etc/ssl/private
mv cacert.pem /etc/ssl/certs.
# Generate Secure and Insecure Keys
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
At this point, I think I copy the contents of server.key and server.key.insecure into the file
C:\Program Files (x86)\VisualSVN Server\certs\server.pem
but, I'm not sure about that. Also, what file do I copy to the other computers and how to connect eclipse to the repository.
Also, is there an easier way to do this besides using svnserver, since all the machines are on the same home network, and they are running versions of windows?

Github peer not authenticated when I issue g8 command

I am using red hat linux. I am trying to run this command:
g8 typesafehub/play-scala
And I am getting this response:
Exception fetching from github peer not authenticated
But when I check the connection using
openssl s_client -connect github.com:443
I get this:
Verify return code: 0 (ok)
Which means that I am able to connect with github. Why doesn't this command work?
g8 typesafehub/play-scala
I also ran into this issue on an RHEL 5 VM image where I am using openjdk 6. It was the other note to look at TrustManager clued me in on a fix. I tweak the invocation to add a trust setting for github; in my situation it resolves the peer authentication issue.
First grab the github certificate using openssl and keytool to make it accessible to java.
echo "" | openssl s_client -connect www.github.com:443 \
-showcerts 2>/dev/null | openssl x509 -out github.cert
keytool -import -alias github \
-file github.cert -storepass g8g8g8 \
-keystore $HOME/g8.truststore
Now to rewrite the invocation with a script I call "G8":
g8 \
\ -Djavax.net.ssl.trustStore=$HOME/g8.truststore \
\ -Djavax.net.ssl.trustStorePassword=g8g8g8 \
$*
Now try executing G8 -v typesafehub/akka-scala-sbt and I see things are much happier now. I imagine setting a systemwide default truststore would may be better but I haven't figured that one out yet.
If it really is an authentication issue, check your ~/.g8/config file for authentication purpose, but you shouldn't need it for anonymous access.
Note that, according to issue 32 of giter8, it can also depends on the Java you are using.
For instance:
Sorry, that preview release of openjdk 7 is not fit for general use. (There's also giter8 issue #27 specific to openjdk on mac.) I have tested openjdk 7~b147-2.0-0ubuntu0.11.10.1 with giter8 and that worked fine, so when there is a final release available for mac you should be able to use it.
For now, please try with jdk 6 and reopen if you are still having trouble.
Another JDK (openjdk) might end up using the wrong TrustManager, as described in "Avoiding the "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" with HttpClient"
I had the same issue as B Evans (thanks for this!), but in Windows, so here is the equivalent code in case someone else has this issue and doesn't know how to do it from windows cmd. I also had to get openssl from http://www.openssl.org/related/binaries.html
openssl s_client -connect www.github.com:443 -showcerts > out.txt
openssl x509 -out github.cert < out.txt
keytool -import -alias github -file github.cert \
-storepass g8g8g8 -keystore C:\tmp\g8.truststore
Then add the same to JAVA_OPTS (I also had to deal with our corporate firewall and hence proxy as well...)
SET JAVA_OPTS=-Dhttp.proxyHost=our.proxy.com -Dhttp.proxyPort=8080 \
-Dhttps.proxyHost=our.proxy.com -Dhttps.proxyPort=8080 \
-Djavax.net.ssl.trustStore=C:\tmp\g8.truststore \
-Djavax.net.ssl.trustStorePassword=g8g8g8