[opensuse] updating system CA to include recent changes: how?
On another list, I was told to: "...check that your system CA set is up to date. There were changes as recently as a week ago..." How do I do this? I looked at owner of "/var/lib/ca-certificates/pem/" and found "ca-certificates-1_201403302107-8.1.2.noarch". It's URL was last updated Nov, 2015 -- nothing sounds like it might contain recent CA updates... (I ran into a us-gov website, that couldn't be trusted due to a self-signed root-cert (that may be valid, I'm told, but I need to update my system CA to find out..). The way they said this seemed like it should be "easy"... HHhhmmm... Thanks! -l -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, It is ca-certificates-mozilla you would be looking for. It was some months since I last updated it, it might need another update. Can you tell the site for verification purposes? Ciao, Marcus On Tue, Nov 08, 2016 at 11:20:39AM -0800, L. A. Walsh wrote:
On another list, I was told to:
"...check that your system CA set is up to date. There were changes as recently as a week ago..."
How do I do this?
I looked at owner of "/var/lib/ca-certificates/pem/" and found "ca-certificates-1_201403302107-8.1.2.noarch".
It's URL was last updated Nov, 2015 -- nothing sounds like it might contain recent CA updates... (I ran into a us-gov website, that couldn't be trusted due to a self-signed root-cert (that may be valid, I'm told, but I need to update my system CA to find out..).
The way they said this seemed like it should be "easy"...
HHhhmmm...
Thanks! -l
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real
Marcus Meissner wrote:
Hi, It is ca-certificates-mozilla you would be looking for.
Is that the location squid uses?
It was some months since I last updated it, it might need another update. Can you tell the site for verification purposes?
Message included URL: The following error was encountered while trying to retrieve the URL: https://consumercomplaints.fcc.gov/hc/en-us Failed to establish a secure connection to 192.161.147.1 The system returned: (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 --- At first thought it was complaining about some cert my squid uses, but asking on the squid list, it turns out squid is complaining about the remote server. Then it was suggested I update my system CA store. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, What is the ca-certifcates-mozilla version? You mention squid, how is that involved? I just tried it and it worked for me at least. Ciao, Marcus On Tue, Nov 08, 2016 at 11:45:51AM -0800, L. A. Walsh wrote:
Marcus Meissner wrote:
Hi, It is ca-certificates-mozilla you would be looking for.
Is that the location squid uses?
It was some months since I last updated it, it might need another update. Can you tell the site for verification purposes?
Message included URL:
The following error was encountered while trying to retrieve the URL: https://consumercomplaints.fcc.gov/hc/en-us
Failed to establish a secure connection to 192.161.147.1
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
--- At first thought it was complaining about some cert my squid uses, but asking on the squid list, it turns out squid is complaining about the remote server.
Then it was suggested I update my system CA store.
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real
Marcus Meissner wrote:
Hi,
What is the ca-certifcates-mozilla version?
rpm -q ca-certificates-mozilla ca-certificates-mozilla-2.2-3.4.1.noarch (from Opensuse 13.2).
You mention squid, how is that involved?
--- I go through squid to get out to the net, since the machine my web browser is on is a windows machine with no direct net access. I use my linux box as a gateway to the internet. The error message is coming from squid and delivered to my web browser. It's the system ca-store that squid uses that needs to be updated. (complete error message and not just relevant parts we both thought were needed): ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: https://consumercomplaints.fcc.gov/hc/en-us Failed to establish a secure connection to 192.161.147.1 The system returned: (71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) Self-signed SSL Certificate in chain: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials. Your cache administrator is webmaster. Generated Wed, 09 Nov 2016 18:01:04 GMT by web-proxy (squid/3.5.22) (web-proxy is an altname for the server, since that's one of its functions)... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
L. A. Walsh
-
Linda Walsh
-
Marcus Meissner