WARNING: Download failed (60) WARNING: Message: Peer certificate cannot be authenticated with given CA certificates

[aram1304]

Describe the bug

# freshclam
ClamAV update process started at Wed Jan  4 21:24:23 2023
daily database available for update (local version: 26770, remote version: 26771)
WARNING: Download failed (60) WARNING:  Message: Peer certificate cannot be authenticated with given CA certificates
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
daily database available for update (local version: 26770, remote version: 26771)
WARNING: Download failed (60) WARNING:  Message: Peer certificate cannot be authenticated with given CA certificates
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
^CUpdate process terminated

How to reproduce the problem

If I use http in the freshclam.conf then it works I want to use only https

sudo clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.scan"
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog = "yes"
DatabaseDirectory = "/var/www/html/pub/clamav"
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketMode = "660"
MaxConnectionQueueLength = "30"
SendBufTimeout = "200"
ExcludePath = "^/proc/", "^/sys/"
MaxDirectoryRecursion = "20"
User = "clamscan"

Config file: freshclam.conf
---------------------------
DatabaseDirectory = "/var/www/html/pub/clamav"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "http://database.clamav.net"
ScriptedUpdates disabled

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.7
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/www/html/pub/clamav
daily.cvd: version 26771, sigs: 2015131, built on Wed Jan  4 08:47:43 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 15:21:51 2021
Total number of signatures: 8662650

Platform information
--------------------
uname: Linux 3.10.0-1160.59.1.el7.x86_64 #1 SMP Wed Feb 16 12:17:35 UTC 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a2180800800000002040805

Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic -fno-strict-aliasing   -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 128, dconf: 128

[micahsnyder]

@aram1304 it seems like you may be missing the ca-certificates package. Freshclam will need the certificate bundle in order for HTTPS to work.

[aram1304]

Already I updated ca-certificate package. I compared in a diff server ( where it works fine )

ls -l /etc/pki/tls/certs total 220 lrwxrwxrwx. 1 root root 49 Jan 2 15:46 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Jan 2 15:46 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rwxr-xr-x. 1 root root 610 Mar 23 2022 make-dummy-cert -rw-r--r--. 1 root root 2516 Mar 23 2022 Makefile -rwxr-xr-x. 1 root root 829 Mar 23 2022 renew-dummy-cert

ls -lR /etc/pki/ca-trust/extracted /etc/pki/ca-trust/extracted: total 4 drwxr-xr-x. 2 root root 35 Jan 4 14:13 java drwxr-xr-x. 2 root root 47 Jan 4 14:13 openssl drwxr-xr-x. 2 root root 101 Jan 4 14:13 pem -rw-r--r--. 1 root root 560 Jul 28 18:29 README

/etc/pki/ca-trust/extracted/java: total 156 -r--r--r--. 1 root root 154622 Jan 4 14:13 cacerts -rw-r--r--. 1 root root 726 Jul 28 18:29 README

/etc/pki/ca-trust/extracted/openssl: total 616 -r--r--r--. 1 root root 623999 Jan 4 14:13 ca-bundle.trust.crt -rw-r--r--. 1 root root 787 Jul 28 18:29 README

/etc/pki/ca-trust/extracted/pem: total 852 -r--r--r--. 1 root root 165613 Jan 4 14:13 email-ca-bundle.pem -r--r--r--. 1 root root 486972 Jan 4 14:13 objsign-ca-bundle.pem -rw-r--r--. 1 root root 898 Jul 28 18:29 README -r--r--r--. 1 root root 212198 Jan 4 14:13 tls-ca-bundle.pem

[aram1304]

and both servers are having the same certificates I believe 10.x address probably gets natted or proxied going out with a public addres and port 80 has to get redirected to a port 443 connection. Maybe proxy issue?

[micahsnyder]

It could also be that the openssl used by clamav on your system is looking in the wrong directory for the CA bundle. You could try setting the CURL_CA_BUNDLE environment variable to poitn to the openssl ca bundle. E.g.

# CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt freshclam

[aram1304]

Thanks for the update I tried that and it is not working in my Redhat 7.9 machine

]# CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt freshclam ClamAV update process started at Thu Jan 5 13:38:31 2023 daily database available for update (local version: 26771, remote version: 26772) WARNING: Download failed (60) WARNING: Message: Peer certificate cannot be authenticated with given CA certificates WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd Trying again in 5 secs... ^CUpdate process terminated ]# export CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt ]# freshclam ClamAV update process started at Thu Jan 5 13:38:52 2023 daily database available for update (local version: 26771, remote version: 26772) WARNING: Download failed (60) WARNING: Message: Peer certificate cannot be authenticated with given CA certificates WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd Trying again in 5 secs... ^CUpdate process terminated

[aram1304]

ca-certificates-2022.2.54-74.el7_9.noarch openssl-1.0.2k-25.el7_9.x86_64

[aram1304]

If I set DatabaseMirror http://database.clamav.net in the freshclam.conf then it works but per our standard we need to use only https like rest of other environments

[Abhishek29031991]

Hey Hi. Did you got any solution for this issue ?