AUR certificate reports as expired but it's not

Support AUR
,
1

Hello,

I did a clean installation of manjaro (KDE) few days ago on my laptop.
Since then, I was unable to install anything from AUR, because my laptop thinks that the AUR SSL certificate is expired, while it’s completely valid and working fine for others.
I was able to reduce it to simple reproducer, a single curl command

my laptop:

curl -vI https://aur.archlinux.org                                                                                                           ✔ 
*   Trying 95.216.144.15:443...
* Connected to aur.archlinux.org (95.216.144.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

any other computer:

» curl -vI https://aur.archlinux.org
*   Trying 95.216.144.15:443...
* Connected to aur.archlinux.org (95.216.144.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=aur.archlinux.org
*  start date: Nov 14 05:48:21 2021 GMT
*  expire date: Feb 12 05:48:20 2022 GMT
*  subjectAltName: host "aur.archlinux.org" matched cert's "aur.archlinux.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f7a7780d600)
> HEAD / HTTP/2
> Host: aur.archlinux.org
> user-agent: curl/7.77.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Tue, 04 Jan 2022 13:55:14 GMT
date: Tue, 04 Jan 2022 13:55:14 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< cache-control: no-cache, must-revalidate
cache-control: no-cache, must-revalidate
< expires: Tue, 11 Oct 1988 22:00:00 GMT
expires: Tue, 11 Oct 1988 22:00:00 GMT
< pragma: no-cache
pragma: no-cache
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=31536000; includeSubdomains; preload
strict-transport-security: max-age=31536000; includeSubdomains; preload

<
* Connection #0 to host aur.archlinux.org left intact 

echo | openssl s_client -showcerts -servername aur.archlinux.org -connect aur.archlinux.org:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep -A 2 Validity
        Validity
            Not Before: Nov 14 05:48:21 2021 GMT
            Not After : Feb 12 05:48:20 2022 GMT

I found what seems related, but don’t know how to verify/check/fix this, but it’s a year old issue

I obviously tried to install different AUR helpers until I realized it’s not AUR/helpers, but my system which for some reason thinks that the certs are invalid.
Any ideas how to fix it? I don’t even know where to start looking.

Thank you.

2

i don’t know much about the issue but that thread was posted on 28 dec 2021 so it’s a year old but not a year old :wink: maybe try again with a newer iso

3

Well, it’s last year, so it’s an old issue right? :rofl:
For some reason I thought it was from 2020 not 2021.

I would like to avoid reinstall, I spent couple days fine-tuning it and installing all needed software and cloning all my work git repos (it’s a working laptop)

4

Since certificates are provided by packages and this is a new install
(and also of course because you should be fully synced before installing new things)

Are you up to date?

sudo pacman-mirrors -g && sudo pacman -Syyu
5

@cscs Yes I’m up2date.

6 
inxi -Fazy

([HowTo] Provide System Information)

7 
System:
  Kernel: 5.15.12-1-MANJARO x86_64 bits: 64 compiler: gcc v: 11.1.0
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-5.15-x86_64
    root=UUID=472152ba-a265-41cd-9725-539b41de7fcd rw rootflags=subvol=@ quiet
    cryptdevice=UUID=9015aa3c-c546-4ddf-9c19-8c1d5848c92b:luks-9015aa3c-c546-4ddf-9c19-8c1d5848c92b
    root=/dev/mapper/luks-9015aa3c-c546-4ddf-9c19-8c1d5848c92b
    resume=/dev/mapper/luks-54234351-a1d4-43aa-ba69-005c70b2030f
    udev.log_priority=3
  Desktop: KDE Plasma 5.23.4 tk: Qt 5.15.2 wm: kwin_x11 vt: 1 dm: SDDM
    Distro: Manjaro Linux base: Arch Linux
Machine:
  Type: Laptop System: LENOVO product: 20UHS09300 v: ThinkPad T14s Gen 1
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: LENOVO model: 20UHS09300 serial: <superuser required> UEFI: LENOVO
    v: R1CET66W(1.35 ) date: 07/30/2021
Battery:
  ID-1: BAT0 charge: 52.6 Wh (100.0%) condition: 52.6/57.0 Wh (92.3%)
    volts: 12.9 min: 11.5 model: Celxpert 5B10W139 type: Li-poly
    serial: <filter> status: Full cycles: 64
CPU:
  Info: model: AMD Ryzen 7 PRO 4750U with Radeon Graphics bits: 64
    type: MT MCP arch: Zen 2 family: 0x17 (23) model-id: 0x60 (96) stepping: 1
    microcode: 0x8600106
  Topology: cpus: 1x cores: 8 tpc: 2 threads: 16 smt: enabled cache:
    L1: 512 KiB desc: d-8x32 KiB; i-8x32 KiB L2: 4 MiB desc: 8x512 KiB L3: 8 MiB
    desc: 2x4 MiB
  Speed (MHz): avg: 1842 high: 4116 min/max: 1400/1700 boost: enabled
    scaling: driver: acpi-cpufreq governor: schedutil cores: 1: 3706 2: 4116
    3: 1569 4: 1620 5: 1420 6: 1717 7: 1498 8: 1397 9: 2642 10: 1397 11: 1408
    12: 1397 13: 1397 14: 1397 15: 1397 16: 1397 bogomips: 54323
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities:
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: spec_store_bypass
    mitigation: Speculative Store Bypass disabled via prctl and seccomp
  Type: spectre_v1
    mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Full AMD retpoline, IBPB: conditional,
    IBRS_FW, STIBP: conditional, RSB filling
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: AMD Renoir vendor: Lenovo driver: amdgpu v: kernel bus-ID: 06:00.0
    chip-ID: 1002:1636 class-ID: 0300
  Device-2: IMC Networks Integrated Camera type: USB driver: uvcvideo
    bus-ID: 2-2:2 chip-ID: 13d3:5405 class-ID: fe01 serial: <filter>
  Display: x11 server: X.org 1.21.1.2 compositor: kwin_x11 driver:
    loaded: amdgpu,ati unloaded: modesetting alternate: fbdev,vesa
    resolution: <missing: xdpyinfo>
  Message: Unable to show advanced data. Required tool glxinfo missing.
Audio:
  Device-1: AMD vendor: Lenovo driver: snd_hda_intel v: kernel bus-ID: 06:00.1
    chip-ID: 1002:1637 class-ID: 0403
  Device-2: AMD Raven/Raven2/FireFlight/Renoir Audio Processor
    vendor: Lenovo driver: snd_rn_pci_acp3x v: kernel
    alternate: snd_pci_acp3x,snd_pci_acp5x bus-ID: 06:00.5 chip-ID: 1022:15e2
    class-ID: 0480
  Device-3: AMD Family 17h HD Audio vendor: Lenovo driver: snd_hda_intel
    v: kernel bus-ID: 06:00.6 chip-ID: 1022:15e3 class-ID: 0403
  Sound Server-1: ALSA v: k5.15.12-1-MANJARO running: yes
  Sound Server-2: JACK v: 1.9.19 running: no
  Sound Server-3: PulseAudio v: 15.0 running: yes
  Sound Server-4: PipeWire v: 0.3.42 running: yes
Network:
  Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
    vendor: Lenovo driver: r8169 v: kernel port: 2400 bus-ID: 02:00.0
    chip-ID: 10ec:8168 class-ID: 0200
  IF: enp2s0f0 state: down mac: <filter>
  Device-2: Intel Wi-Fi 6 AX200 driver: iwlwifi v: kernel bus-ID: 03:00.0
    chip-ID: 8086:2723 class-ID: 0280
  IF: wlp3s0 state: up mac: <filter>
Bluetooth:
  Device-1: Intel AX200 Bluetooth type: USB driver: btusb v: 0.8 bus-ID: 6-4:4
    chip-ID: 8087:0029 class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 3 state: down bt-service: enabled,running
    rfk-block: hardware: no software: yes address: see --recommends
Drives:
  Local Storage: total: 476.94 GiB used: 47.89 GiB (10.0%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung
    model: MZVLB512HBJQ-000L7 size: 476.94 GiB block-size: physical: 512 B
    logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: 5M2QEXF7 temp: 43.9 C scheme: GPT
Partition:
  ID-1: / raw-size: 442.92 GiB size: 442.92 GiB (100.00%)
    used: 47.88 GiB (10.8%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-9015aa3c-c546-4ddf-9c19-8c1d5848c92b
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 712 KiB (0.2%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
  ID-3: /home raw-size: 442.92 GiB size: 442.92 GiB (100.00%)
    used: 47.88 GiB (10.8%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-9015aa3c-c546-4ddf-9c19-8c1d5848c92b
  ID-4: /var/log raw-size: 442.92 GiB size: 442.92 GiB (100.00%)
    used: 47.88 GiB (10.8%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-9015aa3c-c546-4ddf-9c19-8c1d5848c92b
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default)
  ID-1: swap-1 type: partition size: 33.71 GiB used: 0 KiB (0.0%)
    priority: -2 dev: /dev/dm-1 maj-min: 254:1
    mapped: luks-54234351-a1d4-43aa-ba69-005c70b2030f
Sensors:
  System Temperatures: cpu: 83.0 C mobo: N/A gpu: amdgpu temp: 57.0 C
  Fan Speeds (RPM): fan-1: 3100
Info:
  Processes: 428 Uptime: 1d 1h 16m wakeups: 25 Memory: 30.65 GiB
  used: 12.37 GiB (40.4%) Init: systemd v: 250 tool: systemctl Compilers:
  gcc: 11.1.0 Packages: 1178 pacman: 1171 lib: 317 snap: 7 Shell: Zsh v: 5.8
  default: Bash v: 5.1.12 running-in: konsole inxi: 3.3.11
8

Mk… lets check the packages:

pacman -Qs certificates

Also … what about your region/date/time settings? Is everything fine?
And related - any hiccups while general browsing? Can you access aur.archlinux.org in the browser?

9

Packages:

pacman -Qs certificates                                                                                                               ✔  3s  
local/ca-certificates 20210603-1
    Common CA certificates (default providers)
local/ca-certificates-mozilla 3.73.1-1
    Mozilla's set of trusted CA certificates
local/ca-certificates-utils 20210603-1
    Common CA certificates (utilities)
local/libksba 1.6.0-1
    Library for working with X.509 certificates, CMS data and related objects

My region settings seem be to ok, at least I don’t see any issues.
I’m using Europe/Prague Timezone, but using US locale.

locale                                                                                                                                       ✔ 
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_COLLATE="en_US.UTF-8"
LC_MONETARY=en_US.UTF-8
LC_MESSAGES="en_US.UTF-8"
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8
LC_ALL=

As for browsing, everything seems to be working just fine. I don’t have any issues with SSL certificates anywhere else except AUR. Even the browsers (vivaldi/firefox) can see that the certificate on AUR web is ok. Only cmdline tools don’t see that.

aur_cert
aur_cert822×1011 86.9 KB

I just realized that I have installed my company’s certificate on my laptop, but I can’t imagine how that could affect some other certificates from some website.
I did that following the instructions here: User:Grawity/Adding a trusted CA certificate - ArchWiki,Fedora(p11-kit)

10

Does that mean you did the section " System-wide – Arch, Fedora (p11-kit)" Or all of them? Or?..

In any case, based on that … maybe we check all your cert files
(note - if you added a custom one and dont want its title/info showing, edit before copying)

find /etc/ca-certificates -type f -exec du -Sh {} +
11

I did the system-wide setup only, the command

trust anchor --store myCA.crt

did not work, gave me the described error so I just copied the file and run the update command.

Here is list of all 146 of my certs, I excluded the company one.

4.0K    /etc/ca-certificates/extracted/cadir/Certificate_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certificate_Authority.1.pem
4.0K    /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem
4.0K    /etc/ca-certificates/extracted/cadir/Let_s_Encrypt_Authority_X3.pem
4.0K    /etc/ca-certificates/extracted/cadir/R3.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certificate_Authority.2.pem
4.0K    /etc/ca-certificates/extracted/cadir/ACCVRAIZ1.pem
4.0K    /etc/ca-certificates/extracted/cadir/AC_RAIZ_FNMT-RCM.pem
4.0K    /etc/ca-certificates/extracted/cadir/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
4.0K    /etc/ca-certificates/extracted/cadir/Actalis_Authentication_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/AffirmTrust_Commercial.pem
4.0K    /etc/ca-certificates/extracted/cadir/AffirmTrust_Networking.pem
4.0K    /etc/ca-certificates/extracted/cadir/AffirmTrust_Premium.pem
4.0K    /etc/ca-certificates/extracted/cadir/AffirmTrust_Premium_ECC.pem
4.0K    /etc/ca-certificates/extracted/cadir/Amazon_Root_CA_1.pem
4.0K    /etc/ca-certificates/extracted/cadir/Amazon_Root_CA_2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Amazon_Root_CA_3.pem
4.0K    /etc/ca-certificates/extracted/cadir/Amazon_Root_CA_4.pem
4.0K    /etc/ca-certificates/extracted/cadir/ANF_Secure_Server_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Atos_TrustedRoot_2011.pem
4.0K    /etc/ca-certificates/extracted/cadir/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
4.0K    /etc/ca-certificates/extracted/cadir/Baltimore_CyberTrust_Root.pem
4.0K    /etc/ca-certificates/extracted/cadir/Buypass_Class_2_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Buypass_Class_3_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/CA_Disig_Root_R2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certigna.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certigna_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/certSIGN_ROOT_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/certSIGN_Root_CA_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certum_EC-384_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certum_Trusted_Network_CA_2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certum_Trusted_Network_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Certum_Trusted_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/CFCA_EV_ROOT.pem
4.0K    /etc/ca-certificates/extracted/cadir/Comodo_AAA_Services_root.pem
4.0K    /etc/ca-certificates/extracted/cadir/COMODO_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/COMODO_ECC_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/COMODO_RSA_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/Cybertrust_Global_Root.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Assured_ID_Root_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Global_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Global_Root_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Global_Root_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_High_Assurance_EV_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/DigiCert_Trusted_Root_G4.pem
4.0K    /etc/ca-certificates/extracted/cadir/D-TRUST_Root_Class_3_CA_2_2009.pem
4.0K    /etc/ca-certificates/extracted/cadir/D-TRUST_Root_Class_3_CA_2_EV_2009.pem
4.0K    /etc/ca-certificates/extracted/cadir/EC-ACC.pem
4.0K    /etc/ca-certificates/extracted/cadir/emSign_ECC_Root_CA_-_C3.pem
4.0K    /etc/ca-certificates/extracted/cadir/emSign_ECC_Root_CA_-_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/emSign_Root_CA_-_C1.pem
4.0K    /etc/ca-certificates/extracted/cadir/emSign_Root_CA_-_G1.pem
4.0K    /etc/ca-certificates/extracted/cadir/Entrust.net_Premium_2048_Secure_Server_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Entrust_Root_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/Entrust_Root_Certification_Authority_-_EC1.pem
4.0K    /etc/ca-certificates/extracted/cadir/Entrust_Root_Certification_Authority_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Entrust_Root_Certification_Authority_-_G4.pem
4.0K    /etc/ca-certificates/extracted/cadir/ePKI_Root_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/e-Szigno_Root_CA_2017.pem
4.0K    /etc/ca-certificates/extracted/cadir/E-Tugra_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/GDCA_TrustAUTH_R5_ROOT.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_ECC_Root_CA_-_R4.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_ECC_Root_CA_-_R5.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_CA_-_R2.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_CA_-_R3.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_CA_-_R6.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_E46.pem
4.0K    /etc/ca-certificates/extracted/cadir/GlobalSign_Root_R46.pem
4.0K    /etc/ca-certificates/extracted/cadir/GLOBALTRUST_2020.pem
4.0K    /etc/ca-certificates/extracted/cadir/Go_Daddy_Class_2_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Go_Daddy_Root_Certificate_Authority_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/GTS_Root_R1.pem
4.0K    /etc/ca-certificates/extracted/cadir/GTS_Root_R2.pem
4.0K    /etc/ca-certificates/extracted/cadir/GTS_Root_R3.pem
4.0K    /etc/ca-certificates/extracted/cadir/GTS_Root_R4.pem
4.0K    /etc/ca-certificates/extracted/cadir/HARICA_TLS_ECC_Root_CA_2021.pem
4.0K    /etc/ca-certificates/extracted/cadir/HARICA_TLS_RSA_Root_CA_2021.pem
4.0K    /etc/ca-certificates/extracted/cadir/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
4.0K    /etc/ca-certificates/extracted/cadir/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
4.0K    /etc/ca-certificates/extracted/cadir/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
4.0K    /etc/ca-certificates/extracted/cadir/Hongkong_Post_Root_CA_1.pem
4.0K    /etc/ca-certificates/extracted/cadir/Hongkong_Post_Root_CA_3.pem
4.0K    /etc/ca-certificates/extracted/cadir/IdenTrust_Commercial_Root_CA_1.pem
4.0K    /etc/ca-certificates/extracted/cadir/IdenTrust_Public_Sector_Root_CA_1.pem
4.0K    /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
4.0K    /etc/ca-certificates/extracted/cadir/Izenpe.com.pem
4.0K    /etc/ca-certificates/extracted/cadir/Microsec_e-Szigno_Root_CA_2009.pem
4.0K    /etc/ca-certificates/extracted/cadir/Microsoft_ECC_Root_Certificate_Authority_2017.pem
4.0K    /etc/ca-certificates/extracted/cadir/Microsoft_RSA_Root_Certificate_Authority_2017.pem
4.0K    /etc/ca-certificates/extracted/cadir/NAVER_Global_Root_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/NetLock_Arany__Class_Gold__F__tan__s__tv__ny.pem
4.0K    /etc/ca-certificates/extracted/cadir/Network_Solutions_Certificate_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/OISTE_WISeKey_Global_Root_GB_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/OISTE_WISeKey_Global_Root_GC_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/QuoVadis_Root_CA_1_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/QuoVadis_Root_CA_2.pem
4.0K    /etc/ca-certificates/extracted/cadir/QuoVadis_Root_CA_2_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/QuoVadis_Root_CA_3.pem
4.0K    /etc/ca-certificates/extracted/cadir/QuoVadis_Root_CA_3_G3.pem
4.0K    /etc/ca-certificates/extracted/cadir/Secure_Global_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/SecureSign_RootCA11.pem
4.0K    /etc/ca-certificates/extracted/cadir/SecureTrust_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Security_Communication_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Security_Communication_RootCA2.pem
4.0K    /etc/ca-certificates/extracted/cadir/SSL.com_EV_Root_Certification_Authority_ECC.pem
4.0K    /etc/ca-certificates/extracted/cadir/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
4.0K    /etc/ca-certificates/extracted/cadir/SSL.com_Root_Certification_Authority_ECC.pem
4.0K    /etc/ca-certificates/extracted/cadir/SSL.com_Root_Certification_Authority_RSA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Staat_der_Nederlanden_EV_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Starfield_Class_2_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/Starfield_Root_Certificate_Authority_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Starfield_Services_Root_Certificate_Authority_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/SwissSign_Gold_CA_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/SwissSign_Silver_CA_-_G2.pem
4.0K    /etc/ca-certificates/extracted/cadir/SZAFIR_ROOT_CA2.pem
4.0K    /etc/ca-certificates/extracted/cadir/TeliaSonera_Root_CA_v1.pem
4.0K    /etc/ca-certificates/extracted/cadir/TrustCor_ECA-1.pem
4.0K    /etc/ca-certificates/extracted/cadir/TrustCor_RootCert_CA-1.pem
4.0K    /etc/ca-certificates/extracted/cadir/TrustCor_RootCert_CA-2.pem
4.0K    /etc/ca-certificates/extracted/cadir/Trustwave_Global_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/Trustwave_Global_ECC_P256_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/Trustwave_Global_ECC_P384_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/T-TeleSec_GlobalRoot_Class_2.pem
4.0K    /etc/ca-certificates/extracted/cadir/T-TeleSec_GlobalRoot_Class_3.pem
4.0K    /etc/ca-certificates/extracted/cadir/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
4.0K    /etc/ca-certificates/extracted/cadir/TunTrust_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/TWCA_Global_Root_CA.pem
4.0K    /etc/ca-certificates/extracted/cadir/TWCA_Root_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/UCA_Extended_Validation_Root.pem
4.0K    /etc/ca-certificates/extracted/cadir/UCA_Global_G2_Root.pem
4.0K    /etc/ca-certificates/extracted/cadir/USERTrust_ECC_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/USERTrust_RSA_Certification_Authority.pem
4.0K    /etc/ca-certificates/extracted/cadir/XRamp_Global_CA_Root.pem
208K    /etc/ca-certificates/extracted/tls-ca-bundle.pem
160K    /etc/ca-certificates/extracted/email-ca-bundle.pem
8.0K    /etc/ca-certificates/extracted/objsign-ca-bundle.pem
256K    /etc/ca-certificates/extracted/ca-bundle.trust.crt
152K    /etc/ca-certificates/extracted/edk2-cacerts.bin
4.0K    /etc/ca-certificates/trust-source/Certificate_Authority.p11-kit
4.0K    /etc/ca-certificates/trust-source/Certificate_Authority.1.p11-kit
4.0K    /etc/ca-certificates/trust-source/DST_Root_CA_X3.p11-kit
4.0K    /etc/ca-certificates/trust-source/Let_s_Encrypt_Authority_X3.p11-kit
4.0K    /etc/ca-certificates/trust-source/R3.p11-kit
12

Darn … its a bit garbled to easily compare…
But I do notice entries in ../trust-source/ even though you removed the custom entry.
I note it because … I dont have anything in there.

13

Allright, I wiped all files in

/etc/ca-certificates/trust-source/*
update-ca-trust

and surprisingly, the curl command started working just fine.
I am astonished, but at least I now know what’s the culprit.

14

aha!
OK. well theres something amiss with those added files, or how they are recognized/implemented.
I have to guess that they came from your previous additions and/or one of the functions you performed at that time.
Now I guess you can get back to applying the cert you need, and know what to do when it produces funny results. :sweat_smile:

15

After wiping all files and re-install of my company certificate, suddenly the command works as expected.

trust anchor --store <my.crt>

And curl to AUR / pamac is happy again.

Thank you very much for help @cscs, the short summary of fix is:

  • Delete files you don’t know about from
/etc/ca-certificates/trust-source/*
update-ca-trust
  • install only those extra certs you want/need
  • profit

Thank you

16

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.