Hi, I updated Manjaro with pacman -Syyu a few days ago (November 30th) and afterwards found that every webpage I try to load in Firefox, Firefox (developer edition) and Google Chrome give me security errors such as “SEC_ERROR_UNKNOWN_ISSUER” and the like. I also found that I couldn’t push or pull branches through Git, although Git has reported no errors.
However, I’m still able to send messages through a message app called Signal, I can still use curl to fetch page data, and pinging www.google.com works just fine. This leads me to suspect that something unusual has happened to my system’s certificates.
Checking locale settings and making sure the time and date is accurate
Loading browsers in “Safe mode” to ensure the problem isn’t related to an extension
Clearing Firefox’s cert9.db file and letting it auto-generate
Checking the certificate issuer details of websites that fail. Google’s seems to be Google’s own GTS CA 1C3, other websites are Let’s Encrypt’s R3, etc.
The problem definitely started immediately once the computer booted after the system update (and has been the same after every reboot). I’ve since tried updating again (and this time using yay just in case) but it looks like I’m completely up to date. Now, I’m not sure how else to narrow down the problem. Any pointers?
Although I nor seemingly (m)any others here have this issue, it still seems likely to for you be part of the openssl 1.1 / 3.0 fallout that’s been reported in a fair few different contexts.
I’m myself a fairly new Manjaro user, i.e., am on a fairly new Manjaro install, and have not in fact had issues myself; I believe most/many or even all are related to e.g. installed AUR packages or partial updates. But can then without the issue to actively look at not really help troubleshooting/fixing – but someone will be able to, and I at the very least feel it likely to be that openssl issue in some or other way; maybe that helps you to debug.
Thanks for the links. I went through both of these threads and did a little searching but few problems seemed to match my own. Those that did seem similar suggested that the problem was between OpenSSL 1.1 and 3.0, but installing openssl-1.1 and lib32-openssl-1.1 did not fix my issues. I installed both and restarted programs and rebooted, but the behavior hasn’t changed.
I think I’ll post my issues within the Nov. 14th thread, since I agree that OpenSSL feels like a likely cause for my problems. I would like to post a solution here later if I find one. If I missed something or anyone else has any ideas other than waiting for a future release to fix things, that would be very appreciated!
I believe I’ve figured it out. After a bunch of calls to yay and digging deeper into various packages and their dependencies, I tried the following:
yay -S ca-certificates ca-certificates-mozilla ca-certificates-utils
All websites are now loading correctly.
This just reinstalls those 3 packages. If you don’t have yay then I assume using pacman instead will work all the same.
My best guess is that the November 30th update did something weird to the CA certificates on my system. I had already tried reinstalling ca-certificates earlier today (to no avail), so I’m pretty sure it’s one of the latter two packages that were messed up after the update.