How to fix letsencrypt certificate errors fossapup?

New to Puppy and have questions? Start here

Moderator: Forum moderators

Post Reply
artemis
Posts: 44
Joined: Wed Mar 24, 2021 8:16 pm
Has thanked: 8 times
Been thanked: 5 times

How to fix letsencrypt certificate errors fossapup?

Post by artemis »

I'm starting to have a trouble with a few websites that give me security errors in some programs like git, because their certificates are signed with a lets encrypt certificate that is not in the version of ca-certificates provided with fossapup64 (20190110ubuntu). There is an update in the ubuntu package repositories for version 20210119 but since this package is a built-in from the sfs files ppm and pkg both will not install it. Any advice how to upgrade my certificates? thanks!

Last edited by artemis on Thu Jun 09, 2022 9:56 pm, edited 1 time in total.
williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to update ca certificates on fossapup?

Post by williams2 »

i would backup your save file or folder first.

I did this, I think.

Copy (ctrl+C) and paste (ctrl+alt+V) to a text console terminal:

Code: Select all

rm /etc/ssl/certs/DST_Root_CA_X3.pem
rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Then I edited /etc/ca-certificates.conf and removed the DST_Root_CA_X3 line

Then I ran update-ca-certificates in the terminal

The certificates should work now, with a bit if luck.

This is where the certificates are: openssl version -d

This is more information: openssl version -a
which shows

Code: Select all

OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
built on: Thu Sep 16 16:57:22 2021 UTC
platform: linux-x86_64

I installed an openssl package from rockedge's website.
https://rockedge.org/kernels/data/PET/B ... ssl-3.0.0/
openssl-3.0.0-x86_64-bionic.pet
You are running FossaPup I think, so you would want a FossaPup package.
I probably just unzipped it using uextract and copied the files where I wanted to put them.
or maybe I clicked the file to install it.

I'm not saying you need to install the openssl pet package.
I'm just telling you what I seem to remember doing.

artemis
Posts: 44
Joined: Wed Mar 24, 2021 8:16 pm
Has thanked: 8 times
Been thanked: 5 times

Re: How to update ca certificates on fossapup?

Post by artemis »

Thank you! That's solved my problem. Here's the parts I did that fixed it, same as you:

Code: Select all

rm /etc/ssl/certs/DST_Root_CA_X3.pem
rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Remove line containing DST_Root_CA_X3 from /etc/ca-certificates.conf

Run update-ca-certificates.

Updating OpenSSL was not necessary, but is probably a good idea still. For fossapup I used 1.1.1n from Grey over here https://www.forum.puppylinux.com/viewto ... ssl#p54704

I'm going to change the post title so it's easier to know what's going on here

sfein1000
Posts: 96
Joined: Fri Mar 25, 2022 1:38 am
Been thanked: 4 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by sfein1000 »

I ran into the same issue recently where VLC would not play a stream that just got updated (neither will goggles). I performed the steps (not the ssl pet install yet) and that worked for VLC, but goggles still has an issue.

I then searched for DST_Root and I found the following still exist:
/initrd/mnt/tmpfs/pup_rw/usr/share/ca-certificates/mozilla/.wh.DST_Root_CA_X3.crt
/initrd/mnt/tmpfs/pup_rw/etc/ssl/certs/.wh.DST_Root_CA_X3.pem
/initrd/pup_a/etc/ssl/certs/DST_Root_CA_X3.pem
/initrd/pup_ro2/etc/ssl/certs/DST_Root_CA_X3.pem
/initrd/pup_ro2/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Do these also need to be removed? Thinking the first 2 - maybe, and the last 3 are just the sfs files and probably do not affect running apps, but not sure why goggles would still have an issue.

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by williams2 »

When the Let's Encrypt certificate expired, it immediately caused my Links2 browser to tell me that the website I wanted to see did not have a valid certificate, and do I want to see it anyway? which soon became tiresome.

Not many Puppy users seemed to have a problem, maybe 2 or 3.

I deleted the certificates, and upgraded OpenSSL, but it did not help. Links2 still did not like the Let's Encrypt certificates, even though I had deleted them.

Then I thought, of course, I'm using a static build of Links2. Everything, library files, certificates, the openssl so files, were all built in to my static build. It had it's own Let's Encrypt certificate that it was using in the links2 executable. I installed an executable with dynamic linking to shared object files. Problem solved.

Browsers, like mozilla and chrome, often have certificates and it's own shared library files that it is using instead of the operating systems files. Sometimes updating the browser will fix the problem.

Most versions of openssl will go to the next certificates until it finds one that works. But some versions of openssl stops at the expired certificate. So deleting the expired certificate should work, or updating openssl should work, or both .

But this may not work with browsers that have their own certificates and/or opensll builtin. Upgrading to a newer version might fix the problem. If for some reason you want to or need to keep using the older version, you could try finding and deleting the Let's Encrypt certificate in the browser's file.

Google and goggle are two different names. You probably should stay away from goggle. Google is the search engine. Does Google work properly?

sfein1000
Posts: 96
Joined: Fri Mar 25, 2022 1:38 am
Been thanked: 4 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by sfein1000 »

I appreciate the reply. But I did mean goggles. It's one of the music players that comes with fossapup 64. I prefer to stream radio streams through it as opposed to using a browser.

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by williams2 »

Do you have a url? when I try goggles.com, I see a web page saying that the domain name goggles has expired.
If I try goggle.com, It is blocked in my /etc/hosts file, because it is considered to be malicious.

sfein1000
Posts: 96
Joined: Fri Mar 25, 2022 1:38 am
Been thanked: 4 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by sfein1000 »

User avatar
rockedge
Site Admin
Posts: 6561
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2766 times
Been thanked: 2643 times
Contact:

Re: How to fix letsencrypt certificate errors fossapup?

Post by rockedge »

Reset the system clock! Use Psync to sync your system clock via the Internet with an atomic clock. Many times you will have certificate issues if the clock is way out of wack or just a little.

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to fix letsencrypt certificate errors fossapup?

Post by williams2 »

The web page https://gogglesmm.dev/ seems to work for me. No certificate issues.

@rockedge is right. If the system clock is not correct, for example, if it is set 100 years in the future, a certificate could be expired at that time and date. A computer does not really know what time and date it is. It will use whatever time and date that it was told to use.

Many times you will have certificate issues if the clock is way out of wack or just a little.

Again, @rockedge is right.

Post Reply

Return to “Beginners Help”