Curl fails to verify ssl certificates

stefws · August 4, 2021, 1:41pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

pihole -up are expected to be able to fetch latest FTL version, but it fails to verify SSL certificate lately, same goes for gravity updates thus it empties the blacklist

#uname -a
Linux raspberrypi 5.10.17+ #1421 Thu May 27 13:58:02 BST 2021 armv6l GNU/Linux

Adding -k to curl in /opt/pihole/gravity.sh fixes the gravity downloading though, but pihole -up seems to overwrite it self so same fix can't be applied here

Actual Behaviour:

#pihole -up
...
[i] Checking for existing FTL binary...
[i] Downloading and Installing FTL...curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[✗] Downloading and Installing FTL
Error: URL https://github.com/pi-hole/ftl/releases/latest/download/pihole-FTL-armv6-linux-gnueabihf not found
[✗] FTL Engine not installed

Unable to complete update, please contact Pi-hole Support

Debug Token:

https://tricorder.pi-hole.net/0wDcAoKE/

jfb · August 4, 2021, 1:55pm

This appears to be a certificate problem at your end.

The Pi-hole certificate is valid (I just successfully ran pihole -up), and all the certificates for the adlist URL's appear to be valid as well.

Have you followed the steps in the link you included?

stefws · August 5, 2021, 6:20am

Yes try that but it fail also, will attempt again...

Bucking_Horn · August 5, 2021, 7:01am

Run from your Pi-hole machine, what's the output of

apt-cache policy ca-certificates

stefws · August 5, 2021, 9:00pm

~# apt-cache policy ca-certificates
ca-certificates:
  Installed: 20200601~deb10u2
  Candidate: 20200601~deb10u2
  Version table:
 *** 20200601~deb10u2 500
        500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
        100 /var/lib/dpkg/status

Weirdly got another instance running at another site, working perfectly and it says the same as above.

Both instances has same curl version:

~# curl --version

curl 7.64.0 (arm-unknown-linux-gnueabihf) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5  libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3

Release-Date: 2019-02-06

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp

Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

stefws · August 5, 2021, 9:42pm

Found a valid 'DigiCert High Assurance EV Root CA' certificate from https://curl.se and store it into the ca-store this seems to have fixed the trust of github.com and githubusercontent.com again

Still wondering a bit as my other pi-hole instance seems to fetch more blacklisted domains from other sources than just from StevenBlack, as I remember it one of them was a list ending in '/domains'

This instance get me this only:

~# /opt/pihole/gravity.sh 
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✓] Status: Retrieval successful
  [i] Analyzed 85386 domains
  [i] List stayed unchanged

  [i] Target: https://mirror1.malwaredomains.com/files/justdomains
  [✗] Status: Not found
  [✗] List download failed: no cached list available

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [i] Number of gravity domains: 85386 (85386 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 5
  [i] Number of regex whitelist filters: 2
  [✓] Flushing DNS cache
  [✓] Cleaning up stray matter

  [✓] DNS service is listening
  [✓] UDP (IPv4)
  [✓] TCP (IPv4)
  [✓] UDP (IPv6)
  [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

jfb · August 6, 2021, 12:46am

That gravity run is normal. One of your subscribed lists no longer exists, so no content is obtained there.

stefws · August 6, 2021, 6:56pm

Right U'R

system · August 27, 2021, 6:57pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.