Problem with certificates

[Aleksa2022]

Hello! Please tell me what the problem might be... I need to include certificates in the build. I made a certificate chain, included it in certs.pem and put it near the ca-bundle. Additionally, I created a trusts folder in the ca-bundle, where I also put the necessary certificates. Previously, everything was going fine with this placement option and the VMware Horizon (vmview) client saw them normally. Now he does not want to perceive them in any way. I took certificates from the working image - the problem remains. A message appears in the logs that the system cannot check the status of certificate revocation. I downloaded the CRL, converted it to *.pem and placed both options in the ca-bundle - certs - crl directory. It also didn't help. I tried changing the order of certificates in the chain, placing certificates in separate files, placing them in different places. All without success. I noticed that sometimes when assembling my file with certificates does not get into the assembly at all. I downloaded clean Git, placed certificates and tried to collect - the effect is the same. What else could be the problem?

[Doncuppjr]

Make sure that ca-bundle is in the build. 

Sent from Yahoo Mail for iPhone

On Sunday, August 27, 2023, 9:20 PM, Alesandro @.***> wrote:

Hello! Please tell me what the problem might be... I need to include certificates in the build. I made a certificate chain, included it in certs.pem and put it near the ca-bundle. Additionally, I created a trusts folder in the ca-bundle, where I also put the necessary certificates. Previously, everything was going fine with this placement option and the VMware Horizon (vmview) client saw them normally. Now he does not want to perceive them in any way. I took certificates from the working image - the problem remains. A message appears in the logs that the system cannot check the status of certificate revocation. I downloaded the CRL, converted it to *.pem and placed both options in the ca-bundle - certs - crl directory. It also didn't help. I tried changing the order of certificates in the chain, placing certificates in separate files, placing them in different places. All without success. I noticed that sometimes when assembling my file with certificates does not get into the assembly at all. I downloaded clean Git, placed certificates and tried to collect - the effect is the same. What else could be the problem?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[Aleksa2022]

the ca-bundle is in the build and the package is included in the build. I tried different options - different order of certificates in the common cert.pem file, despite the fact that I know the correct order - the result is the same. Certificates get into the assembly (as I wrote earlier, sometimes they may not get there for some reason), https is still perceived as untrusted. I tried to make builds with early, but valid builds of certificates, with which the images are working fine now - the same result. Root rights are installed on the certificate files: root - I checked and installed these rights for the modified files. It didn't help either. Most of all, it is unclear that I have previously done builds with these certificates and they worked. I did the last assembly a year ago and everything came together fine - it is these assemblies that are working now. The configuration files have not changed either. I assumed that I might have entered some wrong parameter in build time or somewhere else, which spoils everything. Not either. When I unpacked clean Git, I put the bare minimum of configurations from a long-standing backup. It also didn't help. I can't figure out what else could be wrong...

[Aleksa2022]

There is another problem with the certifiers: no matter how I try to promote CRL, it is not taken seriously in any way. Error "Ignoring invalid certificate due to unsafe mode (unable to check certificate revocation status)". I added the CRL to the ca-bundle/certs/crl folder I added it in different formats: .crl, .pem (by converting *.crl) - despite the fact that this folder with files gets into the image, there are still errors in the logs.

[Aleksa2022]

Conducted a series of builds. The configuration is correct. Sometimes everything is fine with --license accept, sometimes there are problems with certificates. I noticed that when going normally, the initrd file is ~25 Mb, when this file is ~18 Mb, there are problems. Nothing changes in the configuration. I tried to run --update --autodl. In this case, if the previous build was normal, the current one breaks. If there were problems with the previous one, the current one is still not restored. I can't figure out what else could be the problem.