Reply

Re: COMODO certificates

dsm1212
Apprentice

COMODO certificates

I've noticed quite a few sites not working due to certificate errors on 6.2 (pro 6) with some apps (sickbeard, etc). Poked around with wget and the problem is that in /etc/ssl/certs I have:

$ ls -al /etc/ssl/certs/COMODO*
lrwxrwxrwx 1 root root 69 Nov 21 23:00 /etc/ssl/certs/COMODO_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
lrwxrwxrwx 1 root root 73 Nov 21 23:00 /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt

But these files do not exist in /usr/share/ca-certificates/mozilla

I tried apt-get --reinstall install ca-certificates but it didn't change anything. Are these two certificates missing from the distribution or did I lose them somehow? Could someone else check their 6.2 system?

steve
Message 1 of 9
dsm1212
Apprentice

Re: COMODO certificates

FWIW I downloaded the debian 7 ca-certificates package and extracted the missing files and copied them to /usr/share/ca-certificates/mozilla. That fixed all the problems. It took those two above and all the ones named Add* to fix it. There are a LOT more certificates in the debian version of this package. I think netgear left a bunch out for some reason and the netgear1 version of the package is deemed newer. I'm afraid to uninstall the netgear1 version and install the debian one because there must be a reason netgear modified it.

Update: Can someone submit this as a bug? Addons that download things don't work very well. Netgear really should include the full set of certificates. I used shell commands to populate all the bad links that the netgear package installed from the full set of files in the debian distribution and there were dozens missing. If you have colorizing turned on just do a ls of /etc/ssl/certs. It's all the red ones :-).

steve
Message 2 of 9
arpanj2
Tutor

Re: COMODO certificates

Hi Steve,

Can you pl post the links to the download? New to Linux

Thanks,
Arpan
Message 3 of 9
dsm1212
Apprentice

Re: COMODO certificates

Well it's been a few weeks and this is probably not the best way to do this. It might be ok to just install it but I don't know what netgear did so I just wanted the missing cert files. I ran apt-get with the -d download only option.

apt-get -d install ca-certificates=20130119+deb7u1

That puts the right kit in /var/cache/apt/archives. You can unpack it to some directory you've created with dpkg -x.

dpkg -x filename.deb ~/certs

(I don't remember what the deb filename was).

Then it is a matter of restoring the missing files. I was being cautious and didn't want to overwrite anything. So I wrote a find/exec statement that would find links with missing files in /etc/ssl/certs and then copy the file. All the missing files were needed in /usr/share/ca-certificates/mozilla. So with hindsight I think you could just populate that directory without overwriting existing files and get all the ones that are missing. Make sure owner and permissions of the new files are the same as the ones already there.

steve
Message 4 of 9
gibxxi
Guide

Re: COMODO certificates

Steve,

I'm having similar issues with SSL certificates in any app that's using SSL, not just SB. Your last paragraph is somewhat vague to me. Can you elaborate on the exec statement/replacement bit for a Linux newbie please?

Many more issues with this thing and I may just go out and buy a W4000+ instead.

😉
NAS1: Asustor AS-5104T [FW: 2.5.1.RB62] - Drives: 4x WD-Red 68EUZN0 2TB - RAM: 8GB]
NAS2: Netgear Repertoire U4 (Chirpa Special) [FW: 4.2.28 - Drives: 4x WD-Red 68AX9N0 2TB - RAM: 4GB]
Switch (N1): Netgear GS108Tv2 [FW: v5.4.2.19] | Switch (N2): Netgear GS208 over PWRL-1200+
Router: Netgear WNDR4300 [FW: v1.0.2.80] | UPS: APC SMT-1500I, BackUPS ES-700uk]
Message 5 of 9
dsm1212
Apprentice

Re: COMODO certificates

Basically if you get the package extracted then find the mozilla directory within it and just do:

cp -n mozilla/* /usr/share/ca-certificates/mozilla

-n means don't overwrite. So it will just add all the missing files.

steve
Message 6 of 9
gibxxi
Guide

Re: COMODO certificates

Cheers for that. Will give it a go.
NAS1: Asustor AS-5104T [FW: 2.5.1.RB62] - Drives: 4x WD-Red 68EUZN0 2TB - RAM: 8GB]
NAS2: Netgear Repertoire U4 (Chirpa Special) [FW: 4.2.28 - Drives: 4x WD-Red 68AX9N0 2TB - RAM: 4GB]
Switch (N1): Netgear GS108Tv2 [FW: v5.4.2.19] | Switch (N2): Netgear GS208 over PWRL-1200+
Router: Netgear WNDR4300 [FW: v1.0.2.80] | UPS: APC SMT-1500I, BackUPS ES-700uk]
Message 7 of 9
Nicholi
Guide

Re: COMODO certificates

I just noticed the same after upgrading from 6.1.9 to 6.2.2. Snooped around my /etc/ssl/certs directory and noticed NONE of the symlinks existed. These were all pointing to /usr/share/ca-certificates/mozilla/ which is updated by the package "ca-certificates". Sure enough I see a netgear specific package for this, so I downgraded to the last debian packaged version.

sudo apt-get install ca-certificates=20130119+deb7u1


I don't know why netgear would remove practically all the known certificate authorities... but likely that's why you might be experience SSL cert issues in various programs. I took a look inside the netgear derived package "ca-certificates_20140325.netgear1_all", and sure enough it only has Verisign and Entrust CA certs. So why has this package been around since March 2014? Just waiting to singularly b0rk everyones installs? I could understand if it was something recent from the 6.2.2 update...but March 2014?!
Message 8 of 9
dsm1212
Apprentice

Re: COMODO certificates

That's probably easier, I was just worried there must be something in that netgear version I was afraid to lose :-). I have no idea why they did this. Programs like sickbeard and headphones are virtually useless without these certs.

steve
Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 4169 views
  • 0 kudos
  • 4 in conversation
Announcements