Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pacman does not work properly with our corporate certificate #4523

Open
JaFojtik opened this issue Apr 11, 2024 · 3 comments
Open

Pacman does not work properly with our corporate certificate #4523

JaFojtik opened this issue Apr 11, 2024 · 3 comments

Comments

@JaFojtik
Copy link

JaFojtik commented Apr 11, 2024

I has been followed all recomendations for using corporace certificates. Unfortunatelly I cannot make pacman working properly.

I have asked our IT department and they give me this certificate: zsc.zip it also does not work.
PEMs from Firefox: PEM.zip

One guy from our IT told me that pacman needs corporate certificate to be root signed. This corporate certificate is only self-signed, it does from external company Zscaller and we cannot do anything with it.

$ pacman -Fy widl.exe
error: mingw32: missing required signature
error: mingw64: missing required signature
error: ucrt64: missing required signature
error: clang32: missing required signature
error: clang64: missing required signature
error: msys: missing required signature
:: Synchronizing package databases...
error: failed to synchronize all databases (unable to lock database)

error: database 'clangarm64' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw32' is not valid (invalid or corrupted database (PGP signature))
error: database 'mingw64' is not valid (invalid or corrupted database (PGP signature))
error: database 'ucrt64' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang32' is not valid (invalid or corrupted database (PGP signature))
error: database 'clang64' is not valid (invalid or corrupted database (PGP signature))
error: database 'msys' is not valid (invalid or corrupted database (PGP signature))

Is it possible to completelly turn off ssl verification?

@Biswa96
Copy link
Member

Biswa96 commented Apr 11, 2024

Does the workaround mentioned here work?

@JaFojtik
Copy link
Author

JaFojtik commented Apr 11, 2024

No. Our guy from IT told me that a problem is probably, that pacman rejects corporate self signed certificate. There is no line about corporate self signed and root signed neccessity. I obtain no debug info that a cetrifficate is not accepted.

I have attempted both, certificates extracted from Firefox, and a certificate from our IT.

@Lubixxx
Copy link

Lubixxx commented Apr 15, 2024

Hello,

I do not understand the problem. As I think, that ROOT certificate is always self-signed.
Is this problem solvable with this SSL inspection in the way?

Thank you.

Here is part of error messages:

$ pacman -Sy
:: Synchronizing package databases...
clangarm64.db failed to download
mingw32.db failed to download
mingw64.db failed to download
ucrt64.db failed to download
clang32.db failed to download
error: failed retrieving file 'mingw32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'clang32.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
warning: too many errors from mirror.msys2.org, skipping for the remainder of this transaction
error: failed retrieving file 'clangarm64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'ucrt64.db' from mirror.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw64.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'mingw32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
error: failed retrieving file 'clang32.db' from repo.msys2.org : SSL certificate problem: self-signed certificate in certificate chain
warning: too many errors from repo.msys2.org, skipping for the remainder of this transaction


And here is a certificate chain list by openssl s_client:

$ openssl s_client -proxy=127.0.0.1:9001 -connect repo.msys2.org:443 -showcerts
Connecting to 127.0.0.1
CONNECTED(00000004)
depth=3 C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=[email protected]
verify return:1
depth=2 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=[email protected]
verify return:1
depth=1 C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
verify return:1
depth=0 CN=repo.msys2.org
verify return:1

Certificate chain
0 s:CN=repo.msys2.org
i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgISf12cYOQm5e4t6lmKq7cTudOfMA0GCSqGSIb3DQEBCwUA
MIGKMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwM
WnNjYWxlciBJbmMuMRUwEwYDVQQLDAxac2NhbGVyIEluYy4xODA2BgNVBAMML1pz
Y2FsZXIgSW50ZXJtZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KSAodCkgMB4X
DTI0MDQxNDAzNDkxM1oXDTI0MDQyODAzNDkxM1owGTEXMBUGA1UEAxMOcmVwby5t
c3lzMi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLSRMSvrmB
C0DiIzdN/a7ZKxrcYMRXJf4COd8tsJgMCq3BXYVJkKCt/FIR62KCCdUiSPGnb0E4
ZBBD7ehnO4riNjoBGKhA9GwW4Qbvoni7G/p96tBwurLggRb0SEUG0crZnnHuWvXW
wjwQgeiXk5U06i1cyswKRXB8lSP8eU3grStR3DG3qBSXYJC32FaWd3mPQK4I3k66
t1SxjK/JEriCfS/7ihL2fUQWWIBVwvUorGoHMeKwzZkYfMAUzIm4AAX2WOF4cMM+
p/YGRgdrZZe8JFdfAFxzr2CLcgRbqi8HGG7Fkcu8bbyS2XzZ/DDPAJmz22WS+yEH
4XyQLdOI4RTrAgMBAAGjgZ8wgZwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwGQYDVR0RBBIwEIIOcmVwby5tc3lzMi5vcmcwDgYD
VR0PAQH/BAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9nYXRld2F5Lnpz
Y2xvdWQubmV0L3pzY2FsZXItenNjcmwtLTQtMS5jcmwwDQYJKoZIhvcNAQELBQAD
ggEBAEGPan77VlEhSPvKSSAie6VNhwBvg+2OZxWeHVuuFyCQ0rHqbdPzOYEY4x05
+tPE4FPix64Aepd58jd4zvwCP34cUrj8iJ6AexKnYeZCd4Y8S/+dwo0ucVFYT/BL
MwBZi5KaB8xK+EWgawod2pw4gdgb5X0/zVI3Yfdt/YPxHBsxCNVer+Y/raVIj3R+
3iCEZGQ/Ox36kCw5I0VTbR17kPVGvoT0juN+OUc5OeCGiT4y4mcCfVGvtItVSxW2
m2PiAvRCJXgz0mGzXDBrhB2/9Gt1mXGGv1bTJCGbd4UIPuMvnchrOtXDpPU+sEyO
EKdeoYgFNvP0B6Q6ijpKYOCkZCU=
-----END CERTIFICATE-----
1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)
i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=[email protected]
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 14 03:49:13 2024 GMT; NotAfter: Apr 28 03:49:13 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEOTCCAyGgAwIBAgIEZhtSOTANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEV
MBMGA1UECxMMWnNjYWxlciBJbmMuMTMwMQYDVQQDEypac2NhbGVyIEludGVybWVk
aWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkxIjAgBgkqhkiG9w0BCQEWE3N1cHBv
cnRAenNjYWxlci5jb20wHhcNMjQwNDE0MDM0OTEzWhcNMjQwNDI4MDM0OTEzWjCB
ijELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMTgwNgYDVQQDDC9ac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2Nsb3VkLm5ldCkgKHQpIDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbptFW7eaaWY/b8OBsAoeoJkYKt
XhSx40PNv/IaFuWt92A2w6n8VCsV8r3ycyot9Q7ewjRtg8ka0ncQslVO09wju0Bi
aYjVIO/Y5AXC5WsoNG0lS6lzuGwQdqQ8teXAxZTBWkDlVYPGp5Ea370+dpdNbwoO
96JcLBJZnDBqkZXypeDaxw6ynjPyAgk8J3sCqQSIhiRf7DTEwwpR3/1dcQB4A7Gm
s5HEyu/UfXe/2k90nOh5yCndTxcOB4i8WFABNbXQ9FlWLThbRKsAhD7c4griRAHM
LFpt9svpsvXleGsTcDG4SoHbst3uTGi1mXUM8NCiYwcwwsS504v8X9rG0xMCAwEA
AaOBhTCBgjAdBgNVHQ4EFgQUNW3Spb+KR1RLjQQrecGQa3oQ6+YwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDov
L2dhdGV3YXkuenNjbG91ZC5uZXQvY3JsL3pzYy1rZWstLTQtMS5jcmwwDQYJKoZI
hvcNAQELBQADggEBAAMlOMp0W5Me81tSHVBjWjvs1yEbVLs/NLcNu3ynCCYh7X1b
0sSJpUhnB8ZAqj71yEb2xNSppbAtx4ZuprxVKiBUE2YPetmEYapHDu71spzkCQ22
Uc30TO7l2w6G0UFybuuym5hKl3jpVzorHBYSE7so6Iclpi1oaUMzIa33aZ4xfMAc
KLvoPphYm4FlubVxzeif+mS7DI9r7DcQVGOYGbyTCVh3VeWKvZvKRM+xIU+YBiiw
v2hLePOAxp2SnA6v5KBSafCPHU0KlwV0XQO7CxDq5HIbcnlIO06EIHOa9ZIMiS1n
SQgFOnz0g7bBU2wnPAVb9lDXfZLrxTvNMRsCot8=
-----END CERTIFICATE-----
2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net), emailAddress=[email protected]
i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=[email protected]
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 5 05:33:19 2020 GMT; NotAfter: Jun 23 05:33:19 2041 GMT
-----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgICAQMwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UE
ChMMWnNjYWxlciBJbmMuMRUwEwYDVQQLEwxac2NhbGVyIEluYy4xGDAWBgNVBAMT
D1pzY2FsZXIgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEB6c2NhbGVy
LmNvbTAeFw0yMDA2MDUwNTMzMTlaFw00MTA2MjMwNTMzMTlaMIGpMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UEChMMWnNjYWxlciBJbmMu
MRUwEwYDVQQLEwxac2NhbGVyIEluYy4xMzAxBgNVBAMTKlpzY2FsZXIgSW50ZXJt
ZWRpYXRlIFJvb3QgQ0EgKHpzY2xvdWQubmV0KTEiMCAGCSqGSIb3DQEJARYTc3Vw
cG9ydEB6c2NhbGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL1jJ79rdyq82MQxBd5v0193M0+JE3VZpizKmfseQ5FjuTj6ai4Qhw/G3vL3VXa3
P24/MbfaDn5WPAMp2LmZhF+Mv7WmETbPy1wVi0U2WZKROe9MeQSfXiJi7mtLYluP
PHEkOeki2gXM+AXDO+pdY/HVNxYGC3uc37xpPafHzSB1aV4GyTi2L7m4bKlNl3GY
8WWKe1nJUwgZEd+Pa1HxneNvEz8cj7LvZysgXPqnT7MuKXcAWepbGz5jQlPWM4U5
Og0/hn8PEg/4gRwvjBKtUWDlHWNcynjTk6IJM0W2Qx9qUR5BDc/5cNJuh1trl8j/
BLKIPDc9W9o/E7bXgwoFtH8CAwEAAaN5MHcwHQYDVR0OBBYEFBFTWZHscKAsSZ9n
35ET0aF34xauMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH+MDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9nYXRld2F5LnpzY2xvdWQubmV0L2NybC96c2MtaW50LmNy
bDANBgkqhkiG9w0BAQsFAAOCAQEAEvJfnZHJUucldbDWSP8WfHPCnzbjbJr1RUtA
JZyC7+3kM4wx6TpVZj4Q+Y4/i3ebzDTROhiTe+6iTlcPmRh9Y+7EYQKw53IjGQsG
O7jwP3O3iHTzL1dZ9WbCEQ5jR6vNp3YZlv3YkOYNinb+fjvQpFcLS//SAnn0frwT
UUxGLewzGpW+KYfkF81ZF7m8ORHxmpYwhowjuLZ/lENZywzSQ44Jh5P6YVRDKq8m
8sfOTS2vZq1dyI41EFD/DLej1XcAJKscuDd4FYBp6BqTTwE0azXWFyPaaNV1QGrP
mAbSn8Bw1PBwPZQP0+D4bF60+Qgur6L3jlnh2kCpPTuy6Bqk0w==
-----END CERTIFICATE-----

Server certificate
subject=CN=repo.msys2.org
issuer=C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscloud.net) (t)

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 3740 bytes and written 412 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CFEE67F2BEB534A5B21FD8AC39CBFB2F7C68C592022F10E29E293489A599DDF3
Session-ID-ctx:
Master-Key: 0E0C57C351E64C24DDA5471555890FFB5AFB3A870139E140AD663879D7F09278BF534C2FA1B0D930F0CE70C47E0B0C47
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1713184041
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants