Error: Peer certificate cannot be authenticated with given CA certificates.

[RevHokan]

I'm using CLI 1.2.1 and, starting late this morning, am receiving this message, "Error: Peer certificate cannot be authenticated with given CA certificates."

This happens on two different FreeBSD systems.

I downloaded and compiled 1.3.0 but it produced the same message.

[briantist]

Same, was working earlier, stopped suddenly today. Recompiling, updating system packages, etc. have not fixed.

I'm on Ubuntu 16.04 (WLS).

[dogik]

I am facing this as well. Had older version and started getting this error today. Thought that because I was out to date. Upgraded to 1.3.0 - the same. I tried on ubuntu for windows and on my EC2 ubuntu 16 instance. Tried updating ca - no luck.

[dead10ck]

Confirming this started happening to me on Arch Linux.

[jking916]

Seeing the same error on Fedora 28, using version 1.1.2-4.fc28 from the system repository.

[spideylinux]

Was running 1.0.0 for the longest time until today when this message showed up. Upgraded to 1.3.0 using both emerge (gentoo) and building myself. Still getting the error.

Checked and 1.3.0 works on macOS which was installed via Homebrew.

[sbranchaw]

Same issue on Ubuntu 16.04 on version v1.3.0, recompiled from source just today (in vain hopes of making the error go away).

[nollieheel]

Confirming this just started happening to me on Ubuntu 14.04. Uninstalled and recompiled to 1.3.0, same problem. Fired up another virtual machine, no joy.

[paulo-Faitarone]

My application running at 2 hours ago, and now, when i try connect lpass login ... return "Peer certificate cannot be authenticated with given CA certificates."

We use version 1.3.0

[dogik]

@bcopeland Can we please get any advice on this one? Any quick fix? It seems like it is affecting a lot of people. It was a massive blocker for me this morning. You seems answered to similar issues before. Thanks in advance.

[DelusionalLogic]

So it seems like a simple oversight.

2 years ago, this commit removed GlobalSign R3 from the pin list, supposedly because they were going to be using R2 from now on. Unfortunately for them, the new cert they were issued May 2nd is actually from R3, meaning that the pin list is now broken.

Adding the old R3 pin back into the list fixes the issue, since their cert hasn't changed.

PS: The front page at lastpass.com is actually still serving the old R2 cert, but lastpass.com/login.html is serving the new R3 cert. Indicating that they are two separate SSL terminators.

[bcopeland]

@dogik unfortunately I no longer work at LastPass so I can't do anything about it...

@rutkai can you find out why the intermediate certs changed and undo that pretty please? It should work even if the root cert is not pinned.

[DelusionalLogic]

It seems like GlobalSign got a new intermediate cert Sep 21st 2016, half a year after last update to the pin list.

[karlney]

I am also affected. lpass worked well yesterday but today it stopped working with the following error

       Error: Peer certificate cannot be authenticated with given CA certificates.

I am running the latest master version - built it today (2018-05-16)

I am using Linx Mint v 18.2

[bcopeland]

Ok, well I guess we pinned the primary and the leaf, not the intermediate... I don't know if it is possible for LP to get a new cert with the old key (assuming GlobalSign won't issue another R2 cert), but obviously I have no say in cert procurement anymore so I guess reverting that commit is the best we can do for now

[RevHokan]

Based on comments by @DelusionalLogic and @bcopeland I added these lines to pins.h and now things seem to work: / future lastpass root CA (GlobalSign R1) / "K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=", / future lastpass root CA (GlobalSign R3) / "cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=",

I'm guessing I really only need the last one.

[bcopeland]

I went ahead and sent a PR for reverting that commit (adding back the other 2 roots), but I can't merge it, @rutkai will have to do that.

[ghost]

As I'm an enterprise user, I've submitted a support ticket linking to this issue.

[karlney]

The fix @RevHokan suggested works for me as well, changing the pins.h file and re-building

[supernomad]

can confirm the fix @RevHokan posted indeed works

[paulgear]

Merging the change from @bcopeland's PR and recompiling did not work for me. Still gives the same error on attempting ./lpass show NNNN

[hirenshah005]

Can anyone please tell how can I fix this issue with my LP?

[austinbutler]

@hirenshah005 see https://github.com/lastpass/lastpass-cli/issues/409#issuecomment-389648977.

[jballment]

I pulled this patch as well and lpass is now working for me as well.

[Ozzyboshi]

recompiling with the pins.h as suggested by @bcopeland fixes the issue Thanks a lot for your help

[cytopyge]

Same issue with LastPass CLI v1.2.2 under Linux 4.16.8-1-ARCH x86_64 GNU/Linux checking solutions issued ...

[wknapik]

Arch users will be happy to hear that the distro package, updated 100min ago, already contains the patch (kudos to @mtorromeo for the quick reaction!). Everyone else has to patch manually and recompile.

[rutkai]

Fix is in the master branch and is included in the latest version 1.3.1. Thank you for the contribution!

[jmehnle]

Ubuntu's corresponding bug report is https://bugs.launchpad.net/ubuntu/+source/lastpass-cli/+bug/1555562. No ETA on a 1.3.1 release.

[CMoH]

Let me add the gentoo equivalent then: https://bugs.gentoo.org/656016

[userdash]

Dear @RevHokan , may i ask where can we find (path) this pins.h file in ubuntu os? thanks in advance

[douglaswth]

@userdash it's a file in the top level of the repo: https://github.com/lastpass/lastpass-cli/blob/master/pins.h

[Xtigyro]

It appears it's still not fixed in SLES 12 - reported it today: https://bugzilla.suse.com/show_bug.cgi?id=1139563