Open JaFojtik opened 2 months ago
No. Our guy from IT told me that a problem is probably, that pacman rejects corporate self signed certificate. There is no line about corporate self signed and root signed neccessity. I obtain no debug info that a cetrifficate is not accepted.
I have attempted both, certificates extracted from Firefox, and a certificate from our IT.
Hello,
I do not understand the problem. As I think, that ROOT certificate is always self-signed. Is this problem solvable with this SSL inspection in the way?
Thank you.
Here is part of error messages:
$ pacman -Sy :: Synchronizing package databases... clangarm64.db failed to download mingw32.db failed to download mingw64.db failed to download ucrt64.db failed to download clang32.db failed to download error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'clang32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction error: failed retrieving file 'clangarm64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw64.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'mingw32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain error: failed retrieving file 'clang32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain warning: too many errors from repo.msys2.org, skipping for the remainder of this transaction
And here is a certificate chain list by openssl s_client:
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: CFEE67F2BEB534A5B21FD8AC39CBFB2F7C68C592022F10E29E293489A599DDF3 Session-ID-ctx: Master-Key: 0E0C57C351E64C24DDA5471555890FFB5AFB3A870139E140AD663879D7F09278BF534C2FA1B0D930F0CE70C47E0B0C47 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1713184041 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
I has been followed all recomendations for using corporace certificates. Unfortunatelly I cannot make pacman working properly.
I have asked our IT department and they give me this certificate: zsc.zip it also does not work. PEMs from Firefox: PEM.zip
One guy from our IT told me that pacman needs corporate certificate to be root signed. This corporate certificate is only self-signed, it does from external company Zscaller and we cannot do anything with it.
Is it possible to completelly turn off ssl verification?