Build fails with certificate issue

[proever]

Hi there, I am trying to build from source for my DS220+/DSM 7.0 (installing the available release gives "Invalid file format").

The command I am running is

sudo docker run --rm --privileged --env PACKAGE_ARCH=geminilake --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk -v $(pwd)/tarballs:/toolkit_tarballs synobuild

The build is failing with the following error

wget https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2
--2021-10-08 06:28:17--  https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2
Resolving netfilter.org (netfilter.org)... 92.243.18.11, 2001:4b98:dc0:43:216:3eff:fe87:a456
Connecting to netfilter.org (netfilter.org)|92.243.18.11|:443... connected.
ERROR: cannot verify netfilter.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Unable to locally verify the issuer's authority.
To connect to netfilter.org insecurely, use `--no-check-certificate'.
Makefile:26: recipe for target 'libmnl-1.0.4.tar.bz2' failed

I saw that you attempt to mitigate this issue by copying the certificates into the build env on L89 of build.sh, but it doesn't seem to be working for some reason. Any ideas why this might be the case?

[stepanovdg]

The same issue on apollolake Tried on mac, fedora 34, and on synology itself. (((

[stepanovdg]

Tried add --no-check-certificate into all calls of wget in Makefile. That helped.

[nperraud]

@stepanovdg your solution does work indeed. However, I don't really feel like having no certificate when I build a VPN package. :-)

I guess it is related to the end of life of the LetEncrypt certificate. I have no idea how to fix this.

[stepanovdg]

@nperraud As far as I know its related to root ca authority. Scheme was IdenTrust’s DST Root CA X3 -> ISRG Root X1 -> Let's Encrypt R3 -> User certificate. Lets encrypt was using DST Root CA X3 an its finished. So it just the question of time when OS would add ISRG Root X1 as trusted even if its already exists for 5 years.

I was able to download this package on my system without skipping check - so seems fine for me. Also tried to put it to the same folder with other tarballs. But tarball are used in init script and this libmnl in make process - which I am not familiar with ( If we could preinstall it somehow globally in docker file. That would resolve that issue with make.

[stepanovdg]

Also in dockerfile root ca are installed but I am not sure about openssl version. 1.0.x. has troubles with ISRG Root X1 so maybe updating openssl to 1.1.x would resolve this issue.

[jon6fingrs]

I added the no certificate flag to Makefile and got the same certificate issues. Tried mounting my ssl cert folder into the docket container. No luck still.

Has anyone else figured out a work around?

[jan-di]

Has anyone else figured out a work around?

@jon6fingrs the Workaround described above works for me. Did you rebuild the docker container after you edited the makefile?

[jon6fingrs]

The problem is I’m an idiot and forgot that. Worked great. Thanks You!

On Thu, Oct 21, 2021, at 6:09 AM, Jan Dittrich wrote:

Has anyone else figured out a work around?

@jon6fingrs https://github.com/jon6fingrs the Workaround described above works for me. Did you rebuild the docker container after you edited the makefile?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/runfalk/synology-wireguard/issues/109#issuecomment-948459209, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMXQZUXRKZGILIK7B3IGIG3UH7RF5ANCNFSM5FSJ564A. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[systemcrash]

Alright people? This could be a workable fix: https://stackoverflow.com/a/69407725 or https://stackoverflow.com/a/69440350