Mailing List Archive

[clamav-users] New installation 103.3; failing freshclam
I find the error message unhelpful. Can you provide a more actionable interpretation, please? I've just updated certificates from Mozilla but no joy.

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
This specific error comes from the libcurl library. I imagine we could detect the associated error code and supplement the message with more actionable advice. If anyone is up for figuring that out, a PR would be welcome.

How you fix this problem is going to vary depending on what OS you're on.
- Mac & Windows installations will use the macOS Keychain or Windows Certificate Store (the same one used by Edge or Firefox).
- Linux and other Unix installations use the openssl certificate directory. By default that is probably in /etc/ssl/certs or /etc/pki/tls/certs but may vary by distribution. Having the ca-certificates package (ubuntu) or equivalent is usually sufficient.

Sometimes TLS validation also fails if the CA certs are fine but the system time is incorrect.

-Micah

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Paul Rogers via clamav-users
> Sent: Wednesday, June 23, 2021 12:19 PM
> To: clamav-users@lists.clamav.net
> Cc: Paul Rogers <paulgrogers@fastmail.fm>
> Subject: [clamav-users] New installation 103.3; failing freshclam
>
> I find the error message unhelpful. Can you provide a more actionable
> interpretation, please? I've just updated certificates from Mozilla but no joy.
>
> --
> Paul Rogers
> paulgrogers@fastmail.fm
> Rogers' Second Law: "Everything you do communicates."
> (I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Thanks for responding.

On Wed, Jun 23, 2021, at 12:35 PM, Micah Snyder (micasnyd) wrote:
> This specific error comes from the libcurl library. I imagine we could
> detect the associated error code and supplement the message with more

Agreed, at least point the finger at the responsible package, libcurl.

> actionable advice. If anyone is up for figuring that out, a PR would
> be welcome.
>
> How you fix this problem is going to vary depending on what OS you're

A homemade LFS. Actually two stable, production systems, one 32-bit LFS-7.7, and a 64-bit LFS-8.1.
openssl-1.0.2l & 1.1.0f
curl-7.4.0 & 7.55.1
gnutls-3.3.12 & 3.5.14
clamav-0.99.2 & 0.103.3

The first has an LFS derived certificate download/update script, the second make-ca-0.7.

> on.
> - Mac & Windows installations will use the macOS Keychain or Windows
> Certificate Store (the same one used by Edge or Firefox).

[shudder]

> - Linux and other Unix installations use the openssl certificate
> directory. By default that is probably in /etc/ssl/certs or

Correct.

> /etc/pki/tls/certs but may vary by distribution. Having the

Only anchors there.

> ca-certificates package (ubuntu) or equivalent is usually sufficient.

So is somebody not looking in the right place? How can I discover and fix that?

>
> Sometimes TLS validation also fails if the CA certs are fine but the
> system time is incorrect.

Just reset last evening w/ ntp.

>
> -Micah

TIA

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Haha love the [shudder]...

So I *think* I would blame whichever OpenSSL version is linked with ClamAV when you built it for looking in the wrong directory. If this is really the issue, you should be able to work around it by setting a CURL_CA_BUNDLE environment variable to point at your CA directory before running freshclam.

In tracking down the right variable name, I realized that we forgot to document CURL_CA_BUNDLE when we added this capability (v0.103). I'll create a GitHub Issue now as a reminder to fix add it to the documentation, or in case someone else wants to work on it.

-Micah

> -----Original Message-----
> From: Paul Rogers <paulgrogers@fastmail.fm>
> Sent: Wednesday, June 23, 2021 1:15 PM
> To: Micah Snyder (micasnyd) <micasnyd@cisco.com>; ClamAV users ML
> <clamav-users@lists.clamav.net>
> Subject: Re: [clamav-users] New installation 103.3; failing freshclam
>
> Thanks for responding.
>
> On Wed, Jun 23, 2021, at 12:35 PM, Micah Snyder (micasnyd) wrote:
> > This specific error comes from the libcurl library. I imagine we could
> > detect the associated error code and supplement the message with more
>
> Agreed, at least point the finger at the responsible package, libcurl.
>
> > actionable advice. If anyone is up for figuring that out, a PR would
> > be welcome.
> >
> > How you fix this problem is going to vary depending on what OS you're
>
> A homemade LFS. Actually two stable, production systems, one 32-bit LFS-7.7,
> and a 64-bit LFS-8.1.
> openssl-1.0.2l & 1.1.0f
> curl-7.4.0 & 7.55.1
> gnutls-3.3.12 & 3.5.14
> clamav-0.99.2 & 0.103.3
>
> The first has an LFS derived certificate download/update script, the second
> make-ca-0.7.
>
> > on.
> > - Mac & Windows installations will use the macOS Keychain or Windows
> > Certificate Store (the same one used by Edge or Firefox).
>
> [shudder]
>
> > - Linux and other Unix installations use the openssl certificate
> > directory. By default that is probably in /etc/ssl/certs or
>
> Correct.
>
> > /etc/pki/tls/certs but may vary by distribution. Having the
>
> Only anchors there.
>
> > ca-certificates package (ubuntu) or equivalent is usually sufficient.
>
> So is somebody not looking in the right place? How can I discover and fix that?
>
> >
> > Sometimes TLS validation also fails if the CA certs are fine but the
> > system time is incorrect.
>
> Just reset last evening w/ ntp.
>
> >
> > -Micah
>
> TIA
>
> --
> Paul Rogers
> paulgrogers@fastmail.fm
> Rogers' Second Law: "Everything you do communicates."
> (I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
So I rebuilt curl-7.50.1 with new config arguments as follows:
=====
configure: Configured to build curl/libcurl:

curl version: 7.50.1
Host setup: i686-pc-linux-gnu
Install prefix: /usr/local
Compiler: gcc
SSL support: enabled (OpenSSL)
SSH support: no (--with-libssh2)
zlib support: enabled
GSS-API support: no (--with-gssapi)
TLS-SRP support: enabled
resolver: POSIX threaded
IPv6 support: no (--enable-ipv6)
Unix sockets support: enabled
IDN support: no (--with-{libidn,winidn})
Build libcurl: Shared=yes, Static=no
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
SSPI support: no (--enable-sspi)
ca cert bundle: no
ca cert path: /etc/ssl/certs
ca fallback: no
LDAP support: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)
LDAPS support: no (--enable-ldaps)
RTSP support: enabled
RTMP support: no (--with-librtmp)
metalink support: no (--with-libmetalink)
PSL support: no (libpsl not found)
HTTP2 support: disabled (--with-nghttp2)
Protocols: DICT FILE FTP FTPS GOPHER HTTP HTTPS IMAP IMAPS POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
=====

It now knows where to find all my pem files, or should. But I'm still getting the same error:

=====
Sun Jun 27 09:50:03 2021 -> ClamAV update process started at Sun Jun 27 09:50:03 2021
Sun Jun 27 09:50:03 2021 -> daily database available for download (remote version: 26214)
Sun Jun 27 09:50:03 2021 -> ^Download failed (77) Sun Jun 27 09:50:03 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sun Jun 27 09:50:03 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sun Jun 27 09:50:03 2021 -> Trying again in 5 secs...
Sun Jun 27 09:50:08 2021 -> daily database available for download (remote version: 26214)
Sun Jun 27 09:50:08 2021 -> ^Download failed (77) Sun Jun 27 09:50:08 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sun Jun 27 09:50:08 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sun Jun 27 09:50:08 2021 -> Trying again in 5 secs...
^CSun Jun 27 09:50:12 2021 -> Update process terminated
[09:50 src]#
=====

Access rights?

=====
[10:07 ~]$ l /etc/ssl/certs|head
total 1100
lrwxrwxrwx 1 root root 12 Jun 20 13:23 002c0b4f.0 -> 002c0b4f.pem
-rw-r--r-- 1 root root 7233 Jun 20 13:22 002c0b4f.pem
lrwxrwxrwx 1 root root 12 Jun 20 13:23 02265526.0 -> 02265526.pem
-rw-r--r-- 1 root root 5055 Jun 20 13:22 02265526.pem
lrwxrwxrwx 1 root root 12 Jun 20 13:23 03179a64.0 -> 03179a64.pem
-rw-r--r-- 1 root root 7266 Jun 20 13:22 03179a64.pem
lrwxrwxrwx 1 root root 12 Jun 20 13:23 062cdee6.0 -> 062cdee6.pem
-rw-r--r-- 1 root root 4531 Jun 20 13:22 062cdee6.pem
lrwxrwxrwx 1 root root 12 Jun 20 13:23 064e0aa9.0 -> 064e0aa9.pem
[10:12 ~]$

=====

Is it one certificate in particular that's missing?


--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
On 28/06/2021 03:17, Paul Rogers via clamav-users wrote:
> So I rebuilt curl-7.50.1 with new config arguments as follows:
> That, to me, looks to be too old to work.

I am using cURL 7.67.0, and OpenSSL 1.1.1k, and I vaguely recall having
certificate problems a while ago that were solved by updating everything
in sight.

Cheers,
Gary B-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi there,

On Sun, 27 Jun 2021, Paul Rogers via clamav-users wrote:

> So I rebuilt curl-7.50.1 ...

https://curl.se/docs/vuln-7.50.1.html

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Following your suggestions I updated to latest curl-7.70.0, and this time I also configured with the pathname to the CA-bundle file as well as the installed pem directory. No observed trouble building. But still the same error about the certificates, no observed difference running freshclam.

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi there,

On Tue, 29 Jun 2021, Paul Rogers via clamav-users wrote:

> Following your suggestions I updated to latest curl-7.70.0, and this
> time I also configured with the pathname to the CA-bundle file as
> well as the installed pem directory. No observed trouble building.
> But still the same error about the certificates, no observed
> difference running freshclam.

At this point I think I'd be looking for more logging. If there's any
verbosity that you haven't already enabled then enable it, and if there
isn't then it's probably time to add some. In cases like this I'd add
extra logging statements in the sources and rebuild. It's not unusual
for it to take several iterations to get to the bottom of the problem,
because you don't really know where the extra logging is needed.

If that sounds a bit depressing, how about spinning up a VM with some
more popular distro like Ubuntu or Debian to act as a local mirror?
You'd only need to boot it once or twice a day for a few minutes and
if you installed from a distro's packages it would probably Just Work.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi, I'm back again. I was here last month, and got some help, but it didn't resolve my issue. I could see some legitimate questions, so I decided I'd better go back and "get my ducks in a row". (This is a hand-made 32-bit version of LFS that has to run on some legacy hardware.)

So...

Here's what freshclam now does:
------------
[09:37 scripts]# cat ~/fresh.log
Sat Jul 17 09:25:51 2021 -> ClamAV update process started at Sat Jul 17 09:25:51 2021
Sat Jul 17 09:25:51 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:25:51 2021 -> ^Download failed (77) Sat Jul 17 09:25:51 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:25:51 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:25:51 2021 -> Trying again in 5 secs...
Sat Jul 17 09:25:56 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:25:56 2021 -> ^Download failed (77) Sat Jul 17 09:25:56 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:25:56 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:25:56 2021 -> Trying again in 5 secs...
Sat Jul 17 09:26:01 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:26:01 2021 -> !Download failed (77) Sat Jul 17 09:26:01 2021 -> ! Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:26:01 2021 -> !Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:26:01 2021 -> Giving up on https://database.clamav.net...
Sat Jul 17 09:26:01 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:26:01 2021 -> ^Download failed (77) Sat Jul 17 09:26:01 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:26:01 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:26:01 2021 -> Trying again in 5 secs...
Sat Jul 17 09:26:06 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:26:06 2021 -> ^Download failed (77) Sat Jul 17 09:26:06 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:26:06 2021 -> ^Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:26:06 2021 -> Trying again in 5 secs...
Sat Jul 17 09:26:11 2021 -> daily database available for download (remote version: 26235)
Sat Jul 17 09:26:11 2021 -> !Download failed (77) Sat Jul 17 09:26:11 2021 -> ! Message: Problem with the SSL CA cert (path? access rights?)
Sat Jul 17 09:26:11 2021 -> !Can't download daily.cvd from https://database.clamav.net/daily.cvd
Sat Jul 17 09:26:11 2021 -> Giving up on https://database.clamav.net...
Sat Jul 17 09:26:11 2021 -> !Update failed for database: daily
Sat Jul 17 09:26:11 2021 -> !Database update process failed: Connection failed
Sat Jul 17 09:26:11 2021 -> !Update failed.
[09:38 scripts]#
------------

That's the same problem. In brief, here's how the relevant packages were built.

------------
- Jun 20 13:27 net-07-make-ca-0.7
wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem &&

- Jun 22 11:15 opt-02-clamav-0.103.3
# clamav included llvm-2 won't compile w/ gcc-6.20, system llvm
# only supported up to 3.7, and we have 3.81. disable it.
(./configure --sysconfdir=/etc --disable-llvm --disable-ipv6 2>&1 | \
tee log.conf && exit $PIPESTATUS) &&

- Jun 29 10:32 adm-04-curl-7.77.0
(./configure --with-ca-path=/etc/ssl/certs --enable-threaded-resolver \
--with-ca-bundle=/etc/ssl/ca-bundle.crt --with-gnutls --with-openssl \
--disable-static --disable-ipv6 2>&1 | tee log.conf && exit $PIPESTATUS) &&

- Jul 7 22:41 net-05-openssl-1.0.2u
(./config --prefix=/usr --libdir=lib --openssldir=/etc/ssl \
zlib-dynamic shared 2>&1 | tee log.conf && exit $PIPESTATUS) &&

------------

I wonder if I'm building these packages to "play well together" (I thought I was), and if I've even got the right certificate for clam.

Help would be much appreciated. TIA!



--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
On 17.07.21 09:57, Paul Rogers via clamav-users wrote:
>Hi, I'm back again. I was here last month, and got some help, but it
> didn't resolve my issue. I could see some legitimate questions, so I
> decided I'd better go back and "get my ducks in a row". (This is a
> hand-made 32-bit version of LFS that has to run on some legacy hardware.)

>Here's what freshclam now does:
>------------
>[09:37 scripts]# cat ~/fresh.log
>Sat Jul 17 09:25:51 2021 -> ClamAV update process started at Sat Jul 17 09:25:51 2021
>Sat Jul 17 09:25:51 2021 -> daily database available for download (remote version: 26235)
>Sat Jul 17 09:25:51 2021 -> ^Download failed (77) Sat Jul 17 09:25:51 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)

doesn't the message "Problem with the SSL CA cert (path? access rights?)"
ring a bell?

do you have CA certificates installed?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
>>------------
>>[09:37 scripts]# cat ~/fresh.log
>>Sat Jul 17 09:25:51 2021 -> ClamAV update process started at Sat Jul 17 09:25:51 2021
>>Sat Jul 17 09:25:51 2021 -> daily database available for download (remote version: 26235)
>>Sat Jul 17 09:25:51 2021 -> ^Download failed (77)
>>Sat Jul 17 09:25:51 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
>
>doesn't the message "Problem with the SSL CA cert (path? access rights?)"
>ring a bell?
>
>do you have CA certificates installed?

Certainly, as far as the instructions go. I showed how I got them in my prior message, along with the package build config files showing that they all SHOULD be looking in /etc/ssl. I don't know which pem file is the one clam wants though, that name hasn't been presented. (I may be new to clam, but I've been building & running my own LFS systems since 2004.)

[08:49 ~]$ cd /etc/ssl
[08:52 ssl]$ ls -l
total 2464
-rw-r--r-- 1 root root 721996 Apr 10 12:49 ca-bundle.crt
-rw-r--r-- 1 root root 1169241 Apr 10 12:49 certdata.txt
drwxr-xr-x 4 root root 12288 Apr 10 12:49 certs
-rw-r--r-- 1 root root 536403 Apr 10 12:49 email-ca-bundle.crt
drwxr-xr-x 5 root root 4096 Jul 5 18:25 html
drwxr-xr-x 2 root root 4096 Apr 10 12:48 java
drwxr-xr-x 2 root root 4096 Apr 10 12:46 local
drwxr-xr-x 2 root root 4096 Jul 7 22:42 misc
-rw-r--r-- 1 root root 17274 Apr 10 12:49 objsign-ca-bundle.crt
-rw-r--r-- 1 root root 10835 Jul 7 22:42 openssl.cnf
-rw-r--r-- 1 root root 10835 Jan 30 15:30 openssl.cnf.org
drwxr-xr-x 2 root root 4096 Jul 7 22:42 private
[08:53 ssl]$ ls -l certs|head
total 1112
lrwxrwxrwx 1 root root 12 Jul 2 10:33 002c0b4f.0 -> 002c0b4f.pem
-rw-r--r-- 1 root root 7079 Jul 2 10:33 002c0b4f.pem
lrwxrwxrwx 1 root root 12 Apr 10 12:49 02265526.0 -> 02265526.pem
-rw-r--r-- 1 root root 5055 Apr 10 12:48 02265526.pem
lrwxrwxrwx 1 root root 12 Apr 10 12:49 03179a64.0 -> 03179a64.pem
-rw-r--r-- 1 root root 7266 Apr 10 12:48 03179a64.pem
lrwxrwxrwx 1 root root 12 Apr 10 12:49 062cdee6.0 -> 062cdee6.pem
-rw-r--r-- 1 root root 4531 Apr 10 12:48 062cdee6.pem
lrwxrwxrwx 1 root root 12 Apr 10 12:49 064e0aa9.0 -> 064e0aa9.pem


--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
On Sun, 18 Jul 2021, Paul Rogers via clamav-users wrote:

> Date: Sun, 18 Jul 2021 09:06:50 -0700
> From: Paul Rogers via clamav-users <clamav-users@lists.clamav.net>
> To: clamav-users@lists.clamav.net
> Cc: Paul Rogers <paulgrogers@fastmail.fm>
> Subject: Re: [clamav-users] New installation 103.3; failing freshclam
>
> >>------------
> >>[09:37 scripts]# cat ~/fresh.log
> >>Sat Jul 17 09:25:51 2021 -> ClamAV update process started at Sat Jul 17 09:25:51 2021
> >>Sat Jul 17 09:25:51 2021 -> daily database available for download (remote version: 26235)
> >>Sat Jul 17 09:25:51 2021 -> ^Download failed (77)
> >>Sat Jul 17 09:25:51 2021 -> ^ Message: Problem with the SSL CA cert (path? access rights?)
> >
> >doesn't the message "Problem with the SSL CA cert (path? access rights?)"
> >ring a bell?
> >
> >do you have CA certificates installed?
>
> Certainly, as far as the instructions go. I showed how I got them in my prior message, along with the package build config files showing that they all SHOULD be looking in /etc/ssl. I don't know which pem file is the one clam wants though, that name hasn't been presented. (I may be new to clam, but I've been building & running my own LFS systems since 2004.)
>
> [08:49 ~]$ cd /etc/ssl
> [08:52 ssl]$ ls -l
> total 2464
> -rw-r--r-- 1 root root 721996 Apr 10 12:49 ca-bundle.crt
> -rw-r--r-- 1 root root 1169241 Apr 10 12:49 certdata.txt
> drwxr-xr-x 4 root root 12288 Apr 10 12:49 certs
> -rw-r--r-- 1 root root 536403 Apr 10 12:49 email-ca-bundle.crt
> drwxr-xr-x 5 root root 4096 Jul 5 18:25 html
> drwxr-xr-x 2 root root 4096 Apr 10 12:48 java
> drwxr-xr-x 2 root root 4096 Apr 10 12:46 local
> drwxr-xr-x 2 root root 4096 Jul 7 22:42 misc
> -rw-r--r-- 1 root root 17274 Apr 10 12:49 objsign-ca-bundle.crt
> -rw-r--r-- 1 root root 10835 Jul 7 22:42 openssl.cnf
> -rw-r--r-- 1 root root 10835 Jan 30 15:30 openssl.cnf.org
> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private
> [08:53 ssl]$ ls -l certs|head
> total 1112
> lrwxrwxrwx 1 root root 12 Jul 2 10:33 002c0b4f.0 -> 002c0b4f.pem
> -rw-r--r-- 1 root root 7079 Jul 2 10:33 002c0b4f.pem
> lrwxrwxrwx 1 root root 12 Apr 10 12:49 02265526.0 -> 02265526.pem
> -rw-r--r-- 1 root root 5055 Apr 10 12:48 02265526.pem
> lrwxrwxrwx 1 root root 12 Apr 10 12:49 03179a64.0 -> 03179a64.pem
> -rw-r--r-- 1 root root 7266 Apr 10 12:48 03179a64.pem
> lrwxrwxrwx 1 root root 12 Apr 10 12:49 062cdee6.0 -> 062cdee6.pem
> -rw-r--r-- 1 root root 4531 Apr 10 12:48 062cdee6.pem
> lrwxrwxrwx 1 root root 12 Apr 10 12:49 064e0aa9.0 -> 064e0aa9.pem
>

I'd like to point to the following thread :

Thread: ubuntu 18.04 LTS cannot verify SSL certificate
https://ubuntuforums.org/showthread.php?t=2464923

where the same error shows up, because a package by the name
Cisco PacketTracer 7.3.1 was installed .

Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org stock@stokkie.net


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi there,

On Sun, 18 Jul 2021, Paul Rogers via clamav-users wrote:

>> do you have CA certificates installed?
>
> Certainly, as far as the instructions go. I showed how I got them
> in my prior message, along with the package build config files
> showing that they all SHOULD be looking in /etc/ssl. I don't know
> which pem file is the one clam wants though, that name hasn't been
> presented. (I may be new to clam, but I've been building & running
> my own LFS systems since 2004.)

ClamAV is relying on curl, and if you intend to carry on digging then
like Micah I think that's where you need to be looking. So the extra
logging that I suggested should be in curl, not in ClamAV. See e.g.

https://curl.se/libcurl/c/CURLOPT_VERBOSE.html

But why didn't you just spin up a VM like I suggested? With a little
bit of effort you'd have had it up and running nearly three weeks ago.

PS:

> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private

Those permissions look wrong to me.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
>
> I'd like to point to the following thread :
>
> Thread: ubuntu 18.04 LTS cannot verify SSL certificate
> https://ubuntuforums.org/showthread.php?t=2464923
>
> where the same error shows up, because a package by the name
> Cisco PacketTracer 7.3.1 was installed .
>
> Robert

Packets? Interesting idea. No, nothing like that here with a LFS based system and a KISS paradigm, but I DO have a very tight firewall. I don't allow packets out just anywhere they please--not allowing ET to phone home--as a security measure. I wasn't looking for it to get caught that way. Sheesh, probably should've. If it uses a special port, there'll be a message. I'll try again later today and look for the firewall hit. Thanks for the idea, that seems promising!

Sheesh! You've no idea how much work I did "putting my ducks in a row". It led me down a rabbit-hole, just making sure.

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
> Packets? Interesting idea. No, nothing like that here with a LFS
> based system and a KISS paradigm, but I DO have a very tight firewall.
> I don't allow packets out just anywhere they please--not allowing ET to
> phone home--as a security measure. I wasn't looking for it to get
> caught that way. Sheesh, probably should've. If it uses a special
> port, there'll be a message. I'll try again later today and look for
> the firewall hit. Thanks for the idea, that seems promising!

Nope, nothing blocked by my firewall. Still an open question.

What would be the name of the pem file? I can see if I have that.

Again, here's how I got them:

install -vdm755 /etc/ssl/local &&
wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem &&
(make install 2>&1 | tee log.inst && exit $PIPESTATUS) &&

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
> ClamAV is relying on curl, and if you intend to carry on digging then
> like Micah I think that's where you need to be looking. So the extra
> logging that I suggested should be in curl, not in ClamAV. See e.g.
>
> https://curl.se/libcurl/c/CURLOPT_VERBOSE.html

I'm afraid this is no help to me. My programming experience long predates C, FORTRAN II was my native tongue. I'm now so old my short-term memory is shot; I CAN'T learn it now. A somewhat competent sysadmin is all I can manage. I did a little grepping, but found no place I was confident to set it. But it configure says it was built in (note march=i686!):

configure: Configured to build curl/libcurl:

Host setup: i686-pc-linux-gnu
Install prefix: /usr/local
Compiler: gcc
CFLAGS: -march=i686 -Werror-implicit-function-declaration -O2 -Wno-system-headers -pthreadsystem /usr/local/include
LDFLAGS: -L/usr/lib -L/usr/local/lib
LIBS: -lnettle -lgnutls -lssl -lcrypto -lssl -lcrypto -lz

curl version: 7.77.0
SSL: enabled (OpenSSL, GnuTLS)
SSH: no (--with-{libssh,libssh2})
zlib: enabled
brotli: no (--with-brotli)
zstd: no (--with-zstd)
GSS-API: no (--with-gssapi)
GSASL: no (libgsasl not found)
TLS-SRP: enabled
resolver: POSIX threaded
IPv6: no (--enable-ipv6)
Unix sockets: enabled
IDN: no (--with-{libidn2,winidn})
Build libcurl: Shared=yes, Static=no
Built-in manual: enabled
--libcurl option: enabled (--disable-libcurl-option)
Verbose errors: enabled (--disable-verbose)
Code coverage: disabled
SSPI: no (--enable-sspi)
ca cert bundle: /etc/ssl/ca-bundle.crt
ca cert path: /etc/ssl/certs
ca fallback: no
LDAP: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)
LDAPS: no (--enable-ldaps)
RTSP: enabled
RTMP: no (--with-librtmp)
Metalink: no (--with-libmetalink)
PSL: no (libpsl not found)
Alt-svc: enabled (--disable-alt-svc)
HSTS: enabled (--disable-hsts)
HTTP1: enabled (internal)
HTTP2: no (--with-nghttp2, --with-hyper)
HTTP3: no (--with-ngtcp2, --with-quiche)
ECH: no (--enable-ech)
Protocols: DICT FILE FTP FTPS GOPHER GOPHERS HTTP HTTPS IMAP IMAPS MQTT POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
Features: AsynchDNS HSTS HTTPS-proxy Largefile MultiSSL NTLM NTLM_WB SSL TLS-SRP UnixSockets alt-svc libz

> But why didn't you just spin up a VM like I suggested? With a little
> bit of effort you'd have had it up and running nearly three weeks ago.

Because this old system built to run on legacy 32-bit hardware only has llvm installed and that because it's a Mesa dependency, nothing higher. This is not a kitchen-sink distro.

>> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private

> Those permissions look wrong to me.

It's empty anyhow. What should it be? (I was running freshclam as root.)

--
Paul Rogers
paulgrogers@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi Paul,

Check out what SSL groups are set in /etc/groups.
On my uBuntu, the SSL directories are (edited out dates/size):

drwxr-xr-x 3 root root /etc/ssl/certs/
drwx--x--- 2 root ssl-cert /etc/ssl/private/

SSL/Curl will complain about these if not set correctly so 'private' and
'certs' will need to be set up properly:

chgrp ssl-cert /etc/ssl/private
chmod 710 /etc/ssl/private
chmod 755 /etc/ssl/certs

You should have an ssl-cert or something similar in your /etc/groups file.

The only private key I have is ssl-cert-snakeoil so what freshclam will
need will be something in 'certs'.

Ged/others may know which specific pem/crt files are needed to get
freshclam to play ball. I don't.

I am sorry that I can't help much further as my x86 LFS dist is not
available at the moment so I can't replicate the issues.

I hope this helps a bit.

Regards
Mark.

On 19/07/2021 18:07, Paul Rogers via clamav-users wrote:
>> ClamAV is relying on curl, and if you intend to carry on digging then
>> like Micah I think that's where you need to be looking. So the extra
>> logging that I suggested should be in curl, not in ClamAV. See e.g.
>>
>> https://curl.se/libcurl/c/CURLOPT_VERBOSE.html
>
> I'm afraid this is no help to me. My programming experience long predates C, FORTRAN II was my native tongue. I'm now so old my short-term memory is shot; I CAN'T learn it now. A somewhat competent sysadmin is all I can manage. I did a little grepping, but found no place I was confident to set it. But it configure says it was built in (note march=i686!):
>
> configure: Configured to build curl/libcurl:
>
> Host setup: i686-pc-linux-gnu
> Install prefix: /usr/local
> Compiler: gcc
> CFLAGS: -march=i686 -Werror-implicit-function-declaration -O2 -Wno-system-headers -pthreadsystem /usr/local/include
> LDFLAGS: -L/usr/lib -L/usr/local/lib
> LIBS: -lnettle -lgnutls -lssl -lcrypto -lssl -lcrypto -lz
>
> curl version: 7.77.0
> SSL: enabled (OpenSSL, GnuTLS)
> SSH: no (--with-{libssh,libssh2})
> zlib: enabled
> brotli: no (--with-brotli)
> zstd: no (--with-zstd)
> GSS-API: no (--with-gssapi)
> GSASL: no (libgsasl not found)
> TLS-SRP: enabled
> resolver: POSIX threaded
> IPv6: no (--enable-ipv6)
> Unix sockets: enabled
> IDN: no (--with-{libidn2,winidn})
> Build libcurl: Shared=yes, Static=no
> Built-in manual: enabled
> --libcurl option: enabled (--disable-libcurl-option)
> Verbose errors: enabled (--disable-verbose)
> Code coverage: disabled
> SSPI: no (--enable-sspi)
> ca cert bundle: /etc/ssl/ca-bundle.crt
> ca cert path: /etc/ssl/certs
> ca fallback: no
> LDAP: no (--enable-ldap / --with-ldap-lib / --with-lber-lib)
> LDAPS: no (--enable-ldaps)
> RTSP: enabled
> RTMP: no (--with-librtmp)
> Metalink: no (--with-libmetalink)
> PSL: no (libpsl not found)
> Alt-svc: enabled (--disable-alt-svc)
> HSTS: enabled (--disable-hsts)
> HTTP1: enabled (internal)
> HTTP2: no (--with-nghttp2, --with-hyper)
> HTTP3: no (--with-ngtcp2, --with-quiche)
> ECH: no (--enable-ech)
> Protocols: DICT FILE FTP FTPS GOPHER GOPHERS HTTP HTTPS IMAP IMAPS MQTT POP3 POP3S RTSP SMB SMBS SMTP SMTPS TELNET TFTP
> Features: AsynchDNS HSTS HTTPS-proxy Largefile MultiSSL NTLM NTLM_WB SSL TLS-SRP UnixSockets alt-svc libz
>
>> But why didn't you just spin up a VM like I suggested? With a little
>> bit of effort you'd have had it up and running nearly three weeks ago.
>
> Because this old system built to run on legacy 32-bit hardware only has llvm installed and that because it's a Mesa dependency, nothing higher. This is not a kitchen-sink distro.
>
>>> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private
>
>> Those permissions look wrong to me.
>
> It's empty anyhow. What should it be? (I was running freshclam as root.)
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] New installation 103.3; failing freshclam [ In reply to ]
Hi there,

On Mon, 19 Jul 2021, Paul Rogers via clamav-users wrote:
>
>> G.W. Haywood wrote:
>> https://curl.se/libcurl/c/CURLOPT_VERBOSE.html
>
> I'm afraid this is no help to me. My programming experience long
> predates C, FORTRAN II was my native tongue.

Sorry, when you wrote

>>> I may be new to clam, but I've been building & running my own LFS
>>> systems since 2004.

I guess I got the wrong impression. Perhaps you should try

https://curl.se/mail/

for help configuring curl's logging.

You do seem to be making things more difficult than necessary. Much
as I don't like some of the decisions that are made by many of the
distro purveyors, it's worth years of toil and strife just to be able
to install things with one command given to a package manager. Until
now I'd have thought anyone running LFS wouldn't find much use for
ClamAV but wouldn't have much difficulty in using it. What's the use
case for ClamAV in your system? From what you've said I'd think that
the attackable surface would be so small that ClamAV could contribute
relatively little to its further reduction.

> ... note march=i686! ...

I don't think that's relevant here.

>> But why didn't you just spin up a VM like I suggested? With a little
>> bit of effort you'd have had it up and running nearly three weeks ago.
>
> Because this old system built to run on legacy 32-bit hardware only
> has llvm installed ...

Again, the badly-named llvm is irrelevant.

> This is not a kitchen-sink distro.

Yes, it's Linux From Scratch. But you do run X, and some kind of a
window manager? Can you not install VirtualBox?

>>> drwxr-xr-x 2 root root 4096 Jul 7 22:42 private
>
>> Those permissions look wrong to me.
>
> It's empty anyhow. What should it be? (I was running freshclam as root.)

drwxr-x--- 2 root root 4096 Jul 7 22:42 private

It's called 'private' for a reason. :) But it's not the issue here.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml