Ca-certificates are broken

This is a new install on a RPi 4b 32 Bit OS.
While customizing the KDE Plasma desktop, after numerous tries, and a couple of hours, I finally managed to screw things up.

Now whenever I try to do anything with pacman, I get the following:

Brace yourself, it's a sad tale.

$ sudo pacman -Syu
[sudo] password for don:
:: Synchronizing package databases…
core is up to date
extra is up to date
community is up to date
alarm is up to date
aur is up to date
endeavouros.db failed to download
error: failed retrieving file ‘endeavouros.db’ from ca.gate.endeavouros.com : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirrors.tuna.tsinghua.edu.cn : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.alpix.eu : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from de.freedif.org : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.moson.org : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from endeavour.remi.lu : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.jingk.ai : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.freedif.org : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.funami.tech : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from ftp.acc.umu.se : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.linux.pizza : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirror.archlinux.tw : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from fastmirror.pp.ua : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed retrieving file ‘endeavouros.db’ from mirrors.42tm.tech : error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
error: failed to synchronize all databases (download library error)

I have tried to re-install ca-certificates to no avail because pacman will not do anything.
I went the the proper repository, and downloaded
https://archlinuxarm.org/packages/any/ca-certificates
it complained about a security issue, so I told it to download anyway. I used

pacman -U ca-cerificates-20210603-1-pkg-tar-xz

Still no joy.

Any ideas how to restore the certificates?

Pudge

EDIT:
the error says " endeavouros.db failed to download" but the endeavouros repos are okay as I did a pacman -Syu successfully on a different 32 Bit OS to check.

What happens in this case? Does it work but not resolve the problem or is pacman -U failing?

It works but doesn’t fix the problem.

Pudge

the following thread is a solution for similar issue

if the solution in the thread didn’t help, then I would try the following steps.

sudo pacman -Syuw                           # download packages
sudo rm /etc/ssl/certs/ca-certificates.crt  # remove conflicting file
sudo pacman -Su                             # perform upgrade

@Pudge, have you tried using an http mirror instead of https?

Isn’t that going to fail? It is going to try to download the databases and fail as above.

I thought so too, but someone in the arch linux forum did it exactly as I understood him. and then reinstalled the certificates with pacman -S ca-certificates-utils

https://bbs.archlinux.org/viewtopic.php?id=236126

the guy from the forum run

update-ca-trust

bevor the other steps.

The following commands from Fernado in the above link fixed the problem.

sudo pacman -Sw ca-certificates-utils
sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20210603-1-any.pkg.tar.xz
sudo pacman -Syu

Thank you to @dalto and @pycrk. Evidently it is the ca-certificates-utils that actually installs the certificates?

I need an ARM 32 Bit OS to compile things for the armv7h EnOS repository. Yesterday I had to compile yay and my current RPi 4b 32 Bit OS was Cinnamon. It once again came up after login and said it was in the fall back mode, which is useless. I spent too much time getting it to work to compile one package. So today, I installed 32 Bit KDE the “Arch way”. Command by command. Fortunately @dalto 's eos-packagelist made the process a lot speedier.

Pudge

1 Like

from the arch wiki

On Arch Linux the default set of CA certificates is provided by the ca-certificates package.

For libraries, that have not been ported to PKCS #11 and use a custom logic for managing CA certificates, the package ca-certificates-utils provides the update-ca-trust(8) script. It copies CA certificates obtained through the centralized interface to /etc/ca-certificates/extracted/ and /etc/ssl/certs/.

https://wiki.archlinux.org/title/Transport_Layer_Security#Certificate_authorities

1 Like

Somewhere along the line on this manual install, the certificates got messed up.
I thought “pacman -Sy ca-certificates” should have supplied the correct certificates.

Who would have thought it is that involved?
That is one solution I will not forget for awhile.

Pudge

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.