Mailing List Archive

[clamav-users] freshclam cert problems with new install
Hi - first posting here

Brand new install of clamav and first thing I ran was "sudo freshclam" which gave the following.

McMadmin: sudo freshclam
ClamAV update process started at Thu Feb 24 20:38:54 2022
daily database available for download (remote version: 26463)
WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
daily database available for download (remote version: 26463)
WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
WARNING: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Trying again in 5 secs...
daily database available for download (remote version: 26463)
ERROR: Download failed (60) ERROR: Message: SSL peer certificate or SSH remote key was not OK
ERROR: Can't download daily.cvd from https://database.clamav.net/daily.cvd
Giving up on https://database.clamav.net...
ERROR: Update failed for database: daily
ERROR: Database update process failed: Connection failed
ERROR: Update failed.

So then I used

openssl s_client -connect database.clamav.net:443 -servername clamav.net -showcerts | openssl x509 -text -noout


Which returned

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e7:28:4e:d7:e1:29:eb:04:df:95:78:6a:e4:cd:8a:d0
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
Validity
Not Before: Apr 6 00:00:00 2020 GMT
Not After : Oct 13 23:59:59 2020 GMT
Subject: CN = ssl392509.cloudflaressl.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0c:b2:3d:e1:a0:35:46:7b:0c:30:95:c6:62:17:
5d:b1:a0:04:71:27:f5:d7:30:4b:fa:fa:db:ec:5f:
20:c3:58:dc:12:cc:b2:62:31:f1:1e:5e:99:8f:dd:

Looks like the cert expired months ago. .... Or am I doing something wrong.

Is there an alternate mirror I can try. I am UK based.


Thanks in advance.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam cert problems with new install [ In reply to ]
Hi there,

On Fri, 25 Feb 2022, fergus mcmenemie wrote:

> Hi - first posting here

Welcome. :)

> Brand new install of clamav ...

Exactly which version, installed from what (package, tarball, ...)?

> first thing I ran was "sudo freshclam" which gave the following.

So I assume it's Linux, but which distribution/version? They aren't
all created equal when it come to certificates. :/

> ...
> WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
> ...

This happens only occasionally. It's most unlikely to be a problem at
the servers because if it were, this list would quickly go ballistic.

> ... openssl s_client -connect database.clamav.net:443 ...
> Looks like the cert expired months ago. .... Or am I doing something wrong.
>
> Is there an alternate mirror I can try. I am UK based.

Don't worry about that. I'm using the same mirrors. It's a content
delivery network so there's only one name but many servers. I see the
same here but updates work OK, as they do for many thousands of other
users. I feel sure the problem is certificate-related, at your end.

There are a few possibilities. First check that your system time and
date are accurate. For keeping it right automatically my experience
is that the best results are from chrony, but ntpd is an alternative.
By 'best' I mean least aggravation, not necessarily most accurate - a
few milliseconds is more than good enough for anything I do but it's
seemed to me that chronyd copes better with e.g. breaks in connection
even if it doesn't offer nanosecond precision.

If (as is likely) the corrrect time wasn't an issue look at for example

https://www.mail-archive.com/clamav-users@lists.clamav.net/msg48856.html
https://yhetil.org/guix-user/877dyw4i2g.fsf@nckx/t/
https://github.com/Cisco-Talos/clamav/issues/404
https://community.cloudflare.com/t/clamav-freshclam-cannot-download-any-file-using-cloudflare-inc-ecc-ca-3-certificate-due-to-a-cookie-alert/252406/9
https://github.com/solita/clamav-rest/issues/25
https://stackoverflow.com/questions/24372942/ssl-error-unable-to-get-local-issuer-certificate

and if nothing there helps please get back to us.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam cert problems with new install [ In reply to ]
> Hi there,
>
> On Fri, 25 Feb 2022, fergus mcmenemie wrote:
>
>> Hi - first posting here
>
> Welcome. :)
>
>> Brand new install of clamav ...
> Exactly which version, installed from what (package, tarball, ...)?
Version clamav-0.103.5 from a tarball on a Mac running 10.13.6. I build everything
from tarballs. I tried clamav-0.104.2 but I just not get cmake + ncurses to build;
why on earth has ncurses been added to clamav.

With your hints, particularly your "its at your end" I eventually went looking for
exactly where curl (curl-7.81.0) was fetching its authoritative list of roots certs
from. It is a Mac so it could have been coming from the keychain. Running
freshclam --verbose --debug
made it appear curl was accessing a list of root certs from somewhere. However this
was not the case. After discovering

curl-config -ca

it revealed there was no curl default root store. I had to recompile curl with

./configure --with-openssl --without-libssh2 --disable-ldap --disable-ldaps \
--with-ca-bundle=/usr/local/openssl/certs/cacert.pem

Freshclam then worked a charm. The file cacert.pem was freshly fetched from the internet

>> first thing I ran was "sudo freshclam" which gave the following.
> So I assume it's Linux, but which distribution/version? They aren't
> all created equal when it come to certificates. :/
>
>> ...
>> WARNING: Download failed (60) WARNING: Message: SSL peer certificate or SSH remote key was not OK
>> ...
>
> This happens only occasionally. It's most unlikely to be a problem at
> the servers because if it were, this list would quickly go ballistic.

The expired certs was due to confusion from the tooling. I had used the following to investigate my issue

openssl s_client -connect database.clamav.net:443 -CAfile=/usr/local/packages3/downloads/cacert.pem

which reported the invalid certs. However, while you can normally get away with that,
in this case we I should have used the following to cope with cloudflare weirdness.

openssl s_client -connect database.clamav.net:443 -CAfile=/usr/local/packages3/downloads/cacert.pem \
-servername database.clamav.net

This reported the cert was fine.

Thanks Ged.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml