Can't update system (broken ssl?)

beyondlife · July 25, 2022, 4:47pm

As I said before, plenty of disk space. Happy to provide anything that might help though.

df -h
Filesystem      Size  Used Avail Use% Mounted on
dev              16G     0   16G   0% /dev
run              16G  2.0M   16G   1% /run
/dev/nvme1n1p2  916G  185G  685G  22% /
tmpfs            16G  455M   16G   3% /dev/shm
tmpfs            16G   28M   16G   1% /tmp
/dev/nvme0n1p1  1.8T  1.3T  488G  73% /media/gamedisk
/dev/nvme1n1p1  300M  312K  300M   1% /boot/efi
tmpfs           3.2G   88K  3.2G   1% /run/user/1000

beyondlife · July 25, 2022, 5:06pm

I’ve been through the pacman log a few times. No error messages, a few warnings about potentially missing firmware during a kernel update which isn’t unusual. Aside from that, just a huge listing of the package installs I’ve done over the last month.

Not sure what you’re looking for here. I know the approximate time the system was upgraded. The time and timezone appear to be correct during the update.

I ran ‘pacman -Qo’ against all of the cert files in ‘/etc/ca-certificates/extracted/’. Against both the full path and just the file name and all of the results were: “error: No package owns ”

pycrk · July 25, 2022, 5:12pm

maybe using a different name server will help

https://wiki.archlinux.org/title/Domain_name_resolution

Edit:

If the VM works for you, I would compare the files /etc/resolv.conf. something is wrong with your connection, i think.

beyondlife · July 25, 2022, 5:50pm

I find it hard to believe that it’s my connection when a simple file copy sets my machine back to working again. Given the evidence I’ve collected so far, I have to believe something is wrong with the certificates package I have or the application that extracts them. I did get an update to ‘ca-certificates-mozilla’ and ‘nss’ on the morning everything went wrong. After I rebooted my machine, everything went wrong. I have to assume that’s not coincidence.

moson · July 25, 2022, 6:23pm

Yeah, no. Was just wondering if it executes the correct binary. But looks ok.
Does it list certs with trust list ?

beyondlife · July 25, 2022, 6:32pm

No, it doesn’t. I also tested it on my functioning VM and that command returns a rather long list of certificates. Any idea how to fix that?

pycrk · July 25, 2022, 7:01pm

what do the following commands show:

which p11-kit

and

pacman -Qs p11-kit

moson · July 25, 2022, 7:09pm

ls -l /usr/share/ca-certificates/trust-source/
What does that show?

beyondlife · July 26, 2022, 2:59am

$ which p11-kit
/usr/bin/p11-kit

 pacman -Qs p11-kit
local/lib32-p11-kit 0.24.1-1
    Loads and enumerates PKCS#11 modules (32-bit library)
local/libp11-kit 0.24.1-1
    Loads and enumerates PKCS#11 modules (library)
local/p11-kit 0.24.1-1
    Loads and enumerates PKCS#11 modules

Edit: Looks like the only difference between this and my VM is lib32-p11-kit. Tried to remove it and lib32-nss is dependent upon it. Tries to remove lib32-nss and steam is dependent upon that which I don’t want to remove. Is it possible that Steam and these packages are what’s breaking it?

Edit2: Guess it’s not steam. I installed steam on my VM and then reinstalled the certificate packages. The pem files still have data. Now the output on pacman -Qs p11-kit is the same as my main machine.

beyondlife · July 26, 2022, 3:00am

$ ls -l /usr/share/ca-certificates/trust-source/
total 1004
drwxr-xr-x 2 root root    4096 Jun  3  2021 anchors
drwxr-xr-x 2 root root    4096 Jun  3  2021 blocklist
-rw-r--r-- 1 root root 1017767 Jul 22 00:15 mozilla.trust.p11-kit

beyondlife · July 26, 2022, 3:22am

I also ran the following and it is the same as the VM.

$ pacman -Ss ca-certificates
core/ca-certificates 20210603-1 [installed]
    Common CA certificates (default providers)
core/ca-certificates-mozilla 3.81-1 [installed]
    Mozilla's set of trusted CA certificates
core/ca-certificates-utils 20210603-1 [installed]
    Common CA certificates (utilities)

manuel · July 26, 2022, 4:48am

Try using -Qs instead of -Ss

Edit: can you show the journal about updating certificates? It might reveal why the update wipes files.

petsam · July 26, 2022, 9:35am

This is normal. They are filled dynamically after package installation.
Read man update-ca-trust.

I think the problem must be coming from curl (pacman uses it for transactions) and/or servers’ certificates.
Try checking the failing (EnoS?) mirrorlist servers (proper URL, with $arch and $repo converted to real values) with

curl --cert-status https://example.com

Also, read man curl for more investigation options available.

Edit:

True, but it also shows installed, so…

By man update-ca-trust, more error messages would appear with

update-ca-trust extract

This command is run after related package updates and gets original certs from /usr/share/ca-certificates/trust-source/ where certs are normally saved, and link/copy them to relative /etc/ paths.

manuel · July 26, 2022, 9:46am

The version might be different…

manuel · July 26, 2022, 10:08am

@beyondlife
I tested the journal if it shows anything about the

update-ca-trust extract

command, but journal showed nothing. But here certificates work OK.

The problem must have something to do with the software you have installed, or packages you may have removed.

Some ideas:

reinstall some essential packages like kernel and kernel headers
try the LTS kernel

pycrk · July 26, 2022, 1:38pm

look at the following link, someone has a similar problem and solved it with a symlink.

nivthered · July 30, 2022, 7:03pm

I seem to have had a similar issue starting yesterday only with endeavouros.db. This is the output for pacman -SYu:
error: failed retrieving file ‘endeavouros.db’ from ca.gate.endeavouros.com : Connection timeout after 10001 ms

pacman -Ss ca-certificates
core/ca-certificates 20210603-1 [installed]
Common CA certificates (default providers)
core/ca-certificates-mozilla 3.81-1 [installed]
Mozilla’s set of trusted CA certificates
core/ca-certificates-utils 20210603-1 [installed]
Common CA certificates (utilities)

I ran both of these successfully, but afterwards the result is still the same.
pacman -Syu endeavouros-keyring
pacman -Sy archlinux-keyring

Any other suggestions? Thank you. PS not in a VM or using Steam.

pebcak · July 30, 2022, 7:07pm

Hi and welcome @nivthered!

Please have a look here:
https://forum.endeavouros.com/search?q=endeavouros.db%20order%3Alatest

beyondlife · September 19, 2022, 6:13pm

I’ve been just living with this issue for a while now and copying over certificate files manually from another install. I just finally got back to working on it again and figured out what the real problem was.

The command that finally revealed the root cause was “p11-kit list-modules”. The library-manufacturer when listed from my machine was “Mozilla” and the version did not match my base install. I wish I had captured the full output from before I fixed the issue.

This led me to find that something overwrote /usr/lib/pkcs11/p11-kit-trust. I copied this file from another install and ran “sudo update-ca-trust” and now everything is working again. Still need to find out what overwrote that file in the first place though.

system · September 21, 2022, 6:14pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.