Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> Does that mean a TLS library does not feature all required protocols on >> armhf? > > TLS library that curl uses (openssl) is perfectly fine, but it cannot > validate any certificate unless you provide

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, > > > Ok. Can you run tcpdump while you're running curl? > > > Specifically, > > > > > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443 > > > > I tried to dump from within the running container but failed. > > It's way too complicated. Docker is basically a one big NAT, so please >

Re: armhf: buster: TLS / HTTPS partly broken

Hi Thomas, > > curl https://www.google.com still fails on the armhf host. So QEMU is > > out of the game. > > Someone hinted at ca_certificates. To verify that, you could try with > the option "-k" for curl. Then the server certificate isn't checked. Yes, "curl -k https:/www.google.com"

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, > > I used the identical image to run the container on an amhf host > > (Raspberry Pi 3). So there is now no QEMU in the way. > > Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10, > armhf), works as supposed to. > I could also test it on Exynos 5422 (also runs

Re: armhf: buster: TLS / HTTPS partly broken

Hi Tomas, > > Yes, "curl -k https:/www.google.com" succeeds. > > Then it's quite probable that the problem lies with certificate > resolution. Either it doesn't find a trusted root cert to validate > the server against, or the validation fails. > > You might try curl's -v option (with and without

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, > > 1613 stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No > > such file or directory) > > Presumably ca-certificates postinst script haven't run, because these > symlinks missing ain't normal. Ubuntu 18.04 on my PC gives more or less the same errors but succeeds. So I

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, > > What now? How do I get this fixed in Debian and/ or the official > > container image? > > I was under the impression that you're creating your own docker > container anyway. > Add it to docker build file or whatever it's called. Yes, I have my own Dockerfile and I can add to it

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, >> >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> >> >> Does that mean a TLS library does not feature all required protocols on >> >> armhf? >> > >> > TLS library that curl uses (openssl) is perfectly fine, but it cannot >> > validate any certificate

Re: armhf: buster: TLS / HTTPS partly broken

Hi Greg, > You... *think* it's there? Why not actually look? > > unicorn:~$ ls -l /etc/ssl/certs/4a6481c9.0 > lrwxrwxrwx 1 root root 27 Jul 14 2018 /etc/ssl/certs/4a6481c9.0 -> > GlobalSign_Root_CA_-_R2.pem > > It takes a few seconds, and then you can remove all doubt. Correct, the file is

Re: armhf: buster: TLS / HTTPS partly broken

Hi Greg, > > How do I get in contact with somebody who can fix the problem in > > Debian Buser and/ or the official Debian Buster arm32v7 Docker image? > > Looks a bit like > to me. Thanks a lot! Yes, this looks a lot like my problem.

Re: armhf: buster: TLS / HTTPS partly broken

KI_Root_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt lrwxrwxrwx 1 root root 61 May 1 13:06 thawte_Primary_Root_CA.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt lrwxrwxrwx 1 root root 66 May 1 13:06 tha

Re: armhf: buster: TLS / HTTPS partly broken

Hi Reco, > > Yes, I have my own Dockerfile and I can add to it whatever I want. But > > "dpkg-reconfigure ca-certificates" asks a lot of questions. And that > > list from 1 to 128 might eventually change. So I am puzzled how to > > automate that without human intervention. > > dpkg-reconfigure

armhf: buster: TLS / HTTPS partly broken

Hi, I am building Docker images for amd64, armhf, and arm64. I have a very simple container based on debian:buster where curl works fine on amd64 and arm64 but fails on armhf [1]. This makes it very easy to reproduce the problem. # curl --version curl 7.64.0 (arm-unknown-linux-gnueabihf)