I want to use pamac

For the last 24hrs I have the famous https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Unacceptable TLS certificate

How do I fix this???
I have searched the forum, went through MASSIVE amount of posts, trying EVERYTHING suggested EXCEPT using third party software to download from AUR.
I installed Manjaro, I want to use the built in package manager for this.

EVERY other method of reaching https://aur.manjaro.org/packages-meta-ext-v1.json.gz works, whether its curl, wget, open it in firefex, WHATEVER, the webserver IS WORKING, PAMAC IS NOT (or the method pamac is communicating is not working).

I KNOW when this happened, and you can argue as much as you want that “pacman or pacman-mirrors has nothing to do with pamac or aur”, but EVERY TIME pamac breakts one way or another for me is if I update my mirror lists. THERE IS CLEAR CORRELATION BETWEEN THIS. Maybe not causation, but definitely correlation!

Now, HOW DO I FIX THIS???
I have been patiently waiting for this to “fix itself”, waited more than 24h to install from aur. When will Manjaro fix this???

- Status: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. 
*** PKI verification of server certificate failed...

Full output:

gnutls-cli --tofu aur.manjaro.org                                                                                                                                                                INT ✘ 
Processed 161 CA certificate(s).
Resolving 'aur.manjaro.org:443'...
Connecting to '185.76.9.24:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=1715854792.rsc.cdn77.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x037902608019ad1cf6f91d6a1178e5e96d8a, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2023-04-27 17:10:39 UTC', expires `2023-07-26 17:10:38 UTC', pin-sha256="b4v2TA3Z2hy8+5FpaaG2ChyVYtGDqxzNrqmatiuz5tk="
        Public Key ID:
                sha1:95a5354419f961be90fbe8fa1215006d0264d263
                sha256:6f8bf64c0dd9da1cbcfb916969a1b60a1c9562d183ab1ccdaea99ab62bb3e6d9
        Public Key PIN:
                pin-sha256:b4v2TA3Z2hy8+5FpaaG2ChyVYtGDqxzNrqmatiuz5tk=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
|<1>| There is a newer OCSP response but was not provided by the server
- Status: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. 
*** PKI verification of server certificate failed...
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
- Session ID: 9F:37:A5:9C:3A:D1:0A:0D:1A:05:F7:B6:AE:84:7A:78:58:EC:30:4B:8F:90:03:EB:62:3D:20:A8:A0:EB:EA:0C
- Options: OCSP status request[ignored],
- Handshake was completed

- Simple Client Mode:

- Peer has closed the GnuTLS connection
1 Like

Seems as if haproxy has issues with updated cert.
But I don’t know if it is involved at all in this case…

1 Like

haproxy is mentioned in the solution in that post, it exists in the manjaro community repository but not installed on my system. Should I? And if so, what do I do with it?

Why not install another AUR helper, such as: paru, yay, etc.? That when you have issues with pamac you can use something else. I personally have never run into the problem you are having because I never use pamac for AUR.

2 Likes

Probably not. I don’t have it installed, either, and my pamac works just fine. Please provide the output of:

pamac update --force-refresh

Edit:

I don’t think it’s applicable to you:

Sure, I can do that by running it the 25:th time, won’t change anything. And if add the -a tag, the aur still fails after the “normal” lists are updated.
I now also see you edited your answer, but yes, have ran that multiple times.

Edit. I downloaded the file in firefox and used Kompare against /var/tmp/pamac-build-bedna/packages-meta-ext-v1.json.gz and they are exactly the same, does that mean that the certificate will be updated, ie pamac will start to work if anything changes in AUR?

If so, that should be in the first search you find on the manjaro forum, because I have never heard that explanation, this is just me as a complete noob spitballing.

I’m going to be honest with you.

Your attitude’s not helping. Nobody will want to help with that snarky attitude.


The reason I asked for the output, not just the human summary, was because it might provide a clue, either to me or, more likely to someone more knowledgeable. a Clue as to

…because it has to be diagnosed first and then treated.


According to this, you need to update your mirror list. which you can do with:

sudo pacman-mirrors -f && sudo pacman -Syyu

…and for the same reason as previous, please provide its output.

6 Likes

I agree. I apologize for that, the frustration got the better of me. Sorry!
The frustration is from reading sooooo many posts about this and basically all of them end up with “hey it suddenly works” or “this is not manjaros fault”, not anywhere have I ever seen responsibility or a definitive solution, and that is REALLY frustrating.
But yes, I now put my “always be kind” hat on and ask for forgiveness. <3

This is exactly what I did what broke it, and seem to be what almost ALWAYS breaks pamac+aur in some way, not always like this but almost ALWAYS in combination with pacman-mirrors

I have tried resetting them sudo pacman-mirrors --interactive --country all --api --protocols all --set-branch stable && sudo pacman -Syyu, using -f, using default, using --interactive to manually choose, follwoing the wiki using -Syu, disregarded the wiki using -Syyu. I have literally tried EVERYTING I can think of… again… deep breath… not aggressive bedna… breathing deep xD

I… I just want this to be fixed and never come back… :cry:

Edit Oh yeah, the output.
I have set my servers to sweden, denmar, finland and norway, just so you know, but even If I have mirrors worldwide, it wont change the aur error.
I mean, at least this has thought me how pacman-mirrors work. :smiley:

So here is the output:

sudo pacman-mirrors -f && sudo pacman -Syyu                                                                                                                                                          ✔ 
::INFO Downloading mirrors from Manjaro
::INFO => Mirror pool: https://repo.manjaro.org/mirrors.json
::INFO => Mirror status: https://repo.manjaro.org/status.json
::INFO Using custom mirror file
::INFO Querying mirrors - This may take some time
  0.196 Sweden         : https://ftp.lysator.liu.se/pub/manjaro/
  0.691 Finland        : https://manjaro.kyberorg.fi/
  0.190 Sweden         : https://ftpmirror1.infania.net/mirror/manjaro/
  0.214 Norway         : http://mirror.terrahost.no/linux/manjaro/
  0.581 Denmark        : https://mirrors.dotsrc.org/manjaro/
  0.181 Sweden         : https://mirror.zetup.net/manjaro/
::INFO Writing mirror list
::Sweden          : https://mirror.zetup.net/manjaro/stable/$repo/$arch
::Sweden          : https://ftpmirror1.infania.net/mirror/manjaro/stable/$repo/$arch
::Sweden          : https://ftp.lysator.liu.se/pub/manjaro/stable/$repo/$arch
::Norway          : http://mirror.terrahost.no/linux/manjaro/stable/$repo/$arch
::Denmark         : https://mirrors.dotsrc.org/manjaro/stable/$repo/$arch
::Finland         : https://manjaro.kyberorg.fi/stable/$repo/$arch
::INFO Mirror list generated and saved to: /etc/pacman.d/mirrorlist
:: Synchronizing package databases...
 core                                                                                               143.6 KiB  1004 KiB/s 00:00 [#############################################################################] 100%
 extra                                                                                             1636.7 KiB  1272 KiB/s 00:01 [#############################################################################] 100%
 community                                                                                            7.0 MiB  1263 KiB/s 00:06 [#############################################################################] 100%
 multilib                                                                                           145.2 KiB  1285 KiB/s 00:00 [#############################################################################] 100%
:: Starting full system upgrade...
 there is nothing to do
pamac upgrade -a                                                                                                                                                                             ✔  10s  
Preparing...
Synchronizing package databases...
https://aur.manjaro.org/packages-meta-ext-v1.json.gz: Unacceptable TLS certificate
Failed to synchronize AUR database
Nothing to do.
Transaction successfully finished.

Edit2 THIS IS NEW!
After posting the edit I realized I also wanted to show that the servers were actually green (OK) like they have constantly been. But THIS TIME:

pacman-mirrors                                                                                                                                                                                       ✔ 
Pacman-mirrors version 4.23.2
Local mirror status for stable branch
Mirror #1   --  00:35   Sweden   https://mirror.zetup.net/manjaro/
Mirror #2   --  04:45   Sweden   https://ftpmirror1.infania.net/mirror/manjaro/
Mirror #3   --  02:15   Sweden   https://ftp.lysator.liu.se/pub/manjaro/
Mirror #4   --  02:14   Norway   http://mirror.terrahost.no/linux/manjaro/
Mirror #5   --  01:03   Denmark  https://mirrors.dotsrc.org/manjaro/
Mirror #6   --  00:26   Finland  https://manjaro.kyberorg.fi/

Edit3 LMAO, yeah, that kinda makes sense, I guess I have to wait a bit now for the servers to sync.
https://repo.manjaro.org/

Probably not going to happen. I don’t want to be hard on you, or say things that might frustrate you, but it really ISN’T Manjaro’s FAULT. In fact, it has nothing to do with Manjaro.

See, the AUR is Arch (Linux) User Repository. Not Manjaro User Repository. Also, the packages you find in the AUR isn’t created by the Manjaro, or even Arch Linux official team members, but by the U sers. Yeah, sure, there are packages there that’s maintained by some of the Manjaro team members, but it’s not official, otherwise it wopuld probably have been in the repositories.

That mirror has been decommissioned AFAIK.

It won’t. Because the AUR isn’t a Manjaro or even Arch Linux server. It’s jusst a repository of recipes, to put it like that. And those packages, those ingredients, are downloaded from all over the internet.

Some other server(s) might also be decommissioned or even just changed a bit, so that It looks like the machine is gone, to pamac. So the global refresh probably did that for you and that’s why the official repositories are now working.

Try removing that file locally, to force a download of a newer one:

sudo rm /var/tmp/pamac-build-<username>/packages-meta-ext-v1.json.gz

Where <username> is the name of your actual user on the PC.

1 Like

This is the answer I have seen so many times and I simply don’t accept that.
Reason: If there was zero way of getting that file by any other means, then yes, I would agree. But since I CAN access and download the file through other means, this IS a pamac issue. Be it they need to change the METHOD they access the file because the way they rely on is through others doesn’t work, but no matter, it’s pamac.

It exists on https://repo.manjaro.org/ and:

pacman-mirrors                                                                                                                                                                                     4 ✘ 
Pacman-mirrors version 4.23.2
Local mirror status for stable branch
Mirror #1   --  00:55   Sweden   https://mirror.zetup.net/manjaro/
Mirror #2   --  01:05   Sweden   https://ftpmirror1.infania.net/mirror/manjaro/
Mirror #3   --  02:35   Sweden   https://ftp.lysator.liu.se/pub/manjaro/
Mirror #4   --  02:34   Norway   http://mirror.terrahost.no/linux/manjaro/
Mirror #5   --  01:23   Denmark  https://mirrors.dotsrc.org/manjaro/
Mirror #6   OK  00:16   Finland  https://manjaro.kyberorg.fi/

So I think it’s all good on that front.

Did that, nothing changed. Besides, It’s the server, not the file the error references to.

Again, I completely understand that pacman DO NOT HAVE ANYTHING TO DO WITH AUR, all I am saying is: Errors with using pamac upgrade -a in almost ALL OCCASIONS happens directly after I have interacted with pacman-mirrors. I see a CLEAR correlation between them but I have no idea why. The error usually fixes itself within 24h so I have learned to live with it, this time, it has gone way beyond that time.
This is my experience, I can not speak for others.

Edit

Wait, maybe I have misunderstood something here. Is pamac not supported/created by manjaro?
Is aur.manjaro.org not owned by manjaro but rather community driven somehow?
If so, I start to understand the complexity and what you mean.
But if they ARE maintained by manjaro, yepp, this is a manjaro issue in my eyes, as a manjaro user.
AUR itself is obv not controlled by manjaro.

1 Like

This AUR file is maintained by Manjaro and necessary to use the AUR with pamac. But it is distributed by a CDN which is unwilling to fix this issue.
You can only wait.

Or disable the AUR in pamac and use another AUR helper (like paru).

1 Like

How are they responsible for how aur.manjaro.org handles certificates? I have to ask because as a noob, it makes zero sense to me, unless they ALSO control the whole server?

This is my exact point, how is it that the official package manager can not what others can, but at the same time “not at fault”?

I stopped using pamac except to see what updates are out the. In manjaro for overall updates I use topgrade. for individual apps pacseek with pikaur under the hood for my AUR helper.

1 Like

Look, I’m going to step away from the technical part a second and look at it from another perspective. Not everything is going to be fun, but the most valuable critique often are like that.

I approach this as a custmore, because that is kinda what I am to manjaro, they don’t REQUIRE money from me but they don’t shy from asking for it, and I have ZERO problems with that, I appreciate them reminding the community that they are driven by community money.

If you have donated or not should not matter, even “free” users contribute value by simply being users and talking about that to others. That is the best pr you could possibly have, FOR FREE (kinda).
I happen to be a contributor, I fkn hate saying that, because again, THAT SHOULD NOT MATTER. I even went to lengths to keep it anonymous, but here we are, if this can change ANYTHING about this, screw it.

But here is the catch. If I use manjaro, and if manjaro use aur as a promotion for their product, I expect that to work, especially if there is a tool within manjaro that I can change a setting to activate support for aur in the gui!

Look at it this way. I get a car. the car stops working sporadically after I fill it with gas. I contact my seller and they inform me “yeah, we are aware, just wait a little while and it fixes itself, we have no control over the software doing this”.

Sounds insane right?

The analogy is not exact ofc, I see and understand the difference of open source and an actual complete holder, but the mentality of “this is not our fault” is VERY strange here.

I also understand that there are limits to what manjaro can do and have focus on, but this particular issue has existed for a VERY long time. There are post a few years back referencing this.

1 Like

Have look at his thread: Pamac fails to synchronise due unacceptable TLS certificate

LetsEncrypt uses SHA1 for performance reason and llibsoup3 has problems with it, which is used in pamac. Guess that is the summary of the whole story.

To add here: I get also sometimes that error, but I disabled auto-updating of AUR packages and do it on demand. When I request it the AUR DB too often, I get again the same error.

I guess I have to look into something like that, but it SUX tbh. As I stated in the title “I want to use pamac” for the simple reasons: that is what is promoted as “their package manager”, because that is what I have been using since I started using manjaro (and it mostly works) and because the first response (from a manjaro team meber might I add) to my absolute first post in this forum was: "welcome to manjaro, to to install from the AUR use manjaros build in package manager pamac by typing pamac build it87-dkms-git (after me trying to use my debian knowledge to clone from aur).

I make a little script for test libsoup package (v3 or v2) …

#!/usr/bin/env python
import sys
import gi

version = '3.0'
if len(sys.argv) > 1 :
    version = sys.argv[1]
if version != '2.4':
    version = '3.0'

gi.require_version('Soup', version)
from gi.repository import Soup
from gi.repository import GLib


URL = 'https://aur.archlinux.org/packages-meta-ext-v1.json.gz'
URL = 'https://aur.manjaro.org/packages-meta-ext-v1.json.gz'

print("libsoup", version, URL)

session = Soup.Session()
if version == '2.4':
    uri = Soup.URI.new(URL)
    request = session.request_http_uri('HEAD', uri)
    try:
        request = request.send(cancellable=None)
    except gi.repository.GLib.GError as err:
        print(err)
if version == '3.0':
    uri = GLib.Uri.parse(URL, GLib.UriFlags(Soup.HTTP_URI_FLAGS))
    message = Soup.Message.new_from_uri("HEAD", uri)
    request = session.send(message)

print("ok")

for me, only works a few times (7/10)… (if ok, return nothing)

python script.py

   > gi.repository.GLib.GError: g-tls-error-quark: Unacceptable TLS certificate (2)

:thinking:

3 Likes
python ./script.py                                                                                                                                                                                   ✔ 
Traceback (most recent call last):
  File "/home/bedna/./script.py", line 11, in <module>
    stream = request.send(cancellable=None)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gi.repository.GLib.GError: g-tls-error-quark: Unacceptable TLS certificate (2)

Not exactly sure what I’m looking at though. xD

Edit, wait, you are correct, sometimes I get no errors when running it.

@papajoke you fixed it, SOMEHOW!

I kept running that script a few times, then after like 5-6 tries, it returned nothing, so I ran it again, that brought back the errors, until they once again didn’t BUT THIS TIME, I ran pamac upgrade -a AND IT WORKED!!!

Now, WHY did this happen, I would love to understand!

python script.py                                                                                                                                                                                  
Traceback (most recent call last):
  File "/home/bedna/script.py", line 11, in <module>
    stream = request.send(cancellable=None)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gi.repository.GLib.GError: g-tls-error-quark: Unacceptable TLS certificate (2)

python script.py                                                                                                                                                                                  
Traceback (most recent call last):
  File "/home/bedna/script.py", line 11, in <module>
    stream = request.send(cancellable=None)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gi.repository.GLib.GError: g-tls-error-quark: Unacceptable TLS certificate (2)

python script.py #no errors 

python ./script.py #no errors

pamac upgrade -a                                                                                                                                                                                    
Preparing...
Synchronizing package databases...
Refreshing community.db...                                                                                                                                                                                          
Refreshing AUR...                                                                                                                                                                                                   
Nothing to do.                                                                                                                                                                                                      
Transaction successfully finished.

for me:

gnutls-cli --tofu aur.manjaro.org                                                                                                                
 ...
- Status: The certificate is trusted. 
Host aur.manjaro.org (https) has never been contacted before.
Its certificate is valid for aur.manjaro.org.
curl -Iv 'https://aur.manjaro.org/packages-meta-ext-v1.json.gz' 
...
* Server certificate:
*  subject: CN=1715854792.rsc.cdn77.org
*  start date: Apr 27 17:10:39 2023 GMT
*  expire date: Jul 26 17:10:38 2023 GMT
*  subjectAltName: host "aur.manjaro.org" matched cert's "aur.manjaro.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

My script return error (only) sometime , the same error as you, 3 times out of 10

So, is a random libsoup bug :sob: