How to fix letsencrypt certificate errors fossapup?

[artemis]

I'm starting to have a trouble with a few websites that give me security errors in some programs like git, because their certificates are signed with a lets encrypt certificate that is not in the version of ca-certificates provided with fossapup64 (20190110ubuntu). There is an update in the ubuntu package repositories for version 20210119 but since this package is a built-in from the sfs files ppm and pkg both will not install it. Any advice how to upgrade my certificates? thanks!

[williams2]

i would backup your save file or folder first.

I did this, I think.

Copy (ctrl+C) and paste (ctrl+alt+V) to a text console terminal:

Code: Select all

rm /etc/ssl/certs/DST_Root_CA_X3.pem
rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Then I edited /etc/ca-certificates.conf and removed the DST_Root_CA_X3 line

Then I ran update-ca-certificates in the terminal

The certificates should work now, with a bit if luck.

This is where the certificates are: openssl version -d

This is more information: openssl version -a
which shows

Code: Select all

OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
built on: Thu Sep 16 16:57:22 2021 UTC
platform: linux-x86_64

I installed an openssl package from rockedge's website.
https://rockedge.org/kernels/data/PET/B ... ssl-3.0.0/
openssl-3.0.0-x86_64-bionic.pet
You are running FossaPup I think, so you would want a FossaPup package.
I probably just unzipped it using uextract and copied the files where I wanted to put them.
or maybe I clicked the file to install it.

I'm not saying you need to install the openssl pet package.
I'm just telling you what I seem to remember doing.

[artemis]

Thank you! That's solved my problem. Here's the parts I did that fixed it, same as you:

Code: Select all

rm /etc/ssl/certs/DST_Root_CA_X3.pem
rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Remove line containing DST_Root_CA_X3 from /etc/ca-certificates.conf

Run update-ca-certificates.

Updating OpenSSL was not necessary, but is probably a good idea still. For fossapup I used 1.1.1n from Grey over here https://www.forum.puppylinux.com/viewto ... ssl#p54704

I'm going to change the post title so it's easier to know what's going on here

[sfein1000]

I ran into the same issue recently where VLC would not play a stream that just got updated (neither will goggles). I performed the steps (not the ssl pet install yet) and that worked for VLC, but goggles still has an issue.

I then searched for DST_Root and I found the following still exist:
/initrd/mnt/tmpfs/pup_rw/usr/share/ca-certificates/mozilla/.wh.DST_Root_CA_X3.crt
/initrd/mnt/tmpfs/pup_rw/etc/ssl/certs/.wh.DST_Root_CA_X3.pem
/initrd/pup_a/etc/ssl/certs/DST_Root_CA_X3.pem
/initrd/pup_ro2/etc/ssl/certs/DST_Root_CA_X3.pem
/initrd/pup_ro2/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Do these also need to be removed? Thinking the first 2 - maybe, and the last 3 are just the sfs files and probably do not affect running apps, but not sure why goggles would still have an issue.

[williams2]

When the Let's Encrypt certificate expired, it immediately caused my Links2 browser to tell me that the website I wanted to see did not have a valid certificate, and do I want to see it anyway? which soon became tiresome.

Not many Puppy users seemed to have a problem, maybe 2 or 3.

I deleted the certificates, and upgraded OpenSSL, but it did not help. Links2 still did not like the Let's Encrypt certificates, even though I had deleted them.

Then I thought, of course, I'm using a static build of Links2. Everything, library files, certificates, the openssl so files, were all built in to my static build. It had it's own Let's Encrypt certificate that it was using in the links2 executable. I installed an executable with dynamic linking to shared object files. Problem solved.

Browsers, like mozilla and chrome, often have certificates and it's own shared library files that it is using instead of the operating systems files. Sometimes updating the browser will fix the problem.

Most versions of openssl will go to the next certificates until it finds one that works. But some versions of openssl stops at the expired certificate. So deleting the expired certificate should work, or updating openssl should work, or both .

But this may not work with browsers that have their own certificates and/or opensll builtin. Upgrading to a newer version might fix the problem. If for some reason you want to or need to keep using the older version, you could try finding and deleting the Let's Encrypt certificate in the browser's file.

Google and goggle are two different names. You probably should stay away from goggle. Google is the search engine. Does Google work properly?

[sfein1000]

I appreciate the reply. But I did mean goggles. It's one of the music players that comes with fossapup 64. I prefer to stream radio streams through it as opposed to using a browser.

[williams2]

Do you have a url? when I try goggles.com, I see a web page saying that the domain name goggles has expired.
If I try goggle.com, It is blocked in my /etc/hosts file, because it is considered to be malicious.

[sfein1000]

Looks like: https://gogglesmm.dev/

[rockedge]

Reset the system clock! Use Psync to sync your system clock via the Internet with an atomic clock. Many times you will have certificate issues if the clock is way out of wack or just a little.

[williams2]

The web page https://gogglesmm.dev/ seems to work for me. No certificate issues.

@rockedge is right. If the system clock is not correct, for example, if it is set 100 years in the future, a certificate could be expired at that time and date. A computer does not really know what time and date it is. It will use whatever time and date that it was told to use.

Many times you will have certificate issues if the clock is way out of wack or just a little.

Again, @rockedge is right.