Let's encrypt cert missing in Slackware64 15

Discussion:

(too old to reply)

Marco Moock

2023-12-26 11:46:33 UTC

Hello!

I installed Slackware64 in VirtualBox.

When I try to use slackpkg, verification of the checksum fails at the
end.

When I try to manually download the key to diagnose that,

***@slack:/home/m# wget https://www.slackware.com/infra/keys/GPG-KEY
--2023-12-26 12:32:09-- https://www.slackware.com/infra/keys/GPG-KEY
Resolving www.slackware.com (www.slackware.com)...
2a02:26f0:7100::211:64c2, 2a02:26f0:7100::211:6498, 2.20.143.113, ...
Connecting to www.slackware.com
(www.slackware.com)|2a02:26f0:7100::211:64c2|:443... connected. ERROR:
cannot verify www.slackware.com's certificate, issued by ‘CN=R3,O=Let's
Encrypt,C=US’: Unable to locally verify the issuer's authority. To
connect to www.slackware.com insecurely, use `--no-check-certificate'.
***@slack:/home/m#

In /etc/ssl are certificates, but not Let's encrypt. What is the reason
for that?
Is that intended or did something at the installation process fail?

I am aware that I can manually add it, but for me that case looks
rather strange because Slackware's official servers can't be used
without it.

--
kind regards
Marco

Spam und Werbung bitte an ***@nirvana.admins.ws

RinaldiJ

2023-12-26 20:10:20 UTC

Permalink

Post by Marco Moock
Hello!
I installed Slackware64 in VirtualBox.
When I try to use slackpkg, verification of the checksum fails at the
end.

Did you run:

# slackpkg update gpg

Rinaldi
--

Marco Moock

2023-12-26 20:29:28 UTC

Permalink

Post by RinaldiJ
# slackpkg update gpg

I did.

***@slack:/home/m# slackpkg update gpg

Getting key from
https://www.slackware.com/infra/keys/GPG-KEY

***@slack:/home/m#

Although, the error keeps the same.

Is gpg related to the X.509 certs in /etc/ssl?

I think the missing Let's Encrypt certificate is a serious issue here
because it breaks much TLS stuff.

Alexander Grotewohl

2023-12-27 02:05:43 UTC

Permalink

Post by Marco Moock

Post by RinaldiJ
# slackpkg update gpg

I did.
Getting key from
https://www.slackware.com/infra/keys/GPG-KEY
Although, the error keeps the same.
Is gpg related to the X.509 certs in /etc/ssl?
I think the missing Let's Encrypt certificate is a serious issue here
because it breaks much TLS stuff.

Did you perhaps pick a custom selection of software to install? "Don't
need this, don't need that" type of thing?

Despite how it looks, last I tried it, to get slackpkg working needs a
large list of dependencies that aren't marked "required" or might not be
obvious..

If it's broke with installing everything, then it might actually be broke.

Alex

Marco Moock

2023-12-27 06:27:07 UTC

Permalink

Post by Alexander Grotewohl
Did you perhaps pick a custom selection of software to install?
"Don't need this, don't need that" type of thing?

Yes, I did.
Which sections does it definitely need?

For example I didn't select Xfce nor KDE desktop.

Henrik Carlqvist

2023-12-27 07:20:34 UTC

Permalink

Post by Marco Moock
Which sections does it definitely need?
For example I didn't select Xfce nor KDE desktop.

Unfortunately there is no such thing as a dependency map of all Slackware
packages, the recomended way to install Slackware is a full install.

However, your error might indicate that the ca-certificates package is
missing or outdated. Since Slackware 15.0 was released, the ca-
certificates package has been updated no less than 10 times if I count
correctly. The last update of ca-certificates was in November this year.

To install Slackware, did you download an iso file? Or do you possibly
have an old official DVD/CDROM slackware installation media from the good
old time when it was possible to purchace official installation media?
The GPG-KEY file that you are looking for were included on the good old
official installation media as well as the isos that you download
yourself today. The tricky thing with the isos that you download yourself
is that you somehow need to ask yourself "how do I know that this GPG-KEY
fila on this .iso has not been tampered with?".

regards Henrik

Marco Moock

2023-12-27 08:59:14 UTC

Permalink

Post by Henrik Carlqvist
To install Slackware, did you download an iso file?

I did use the Slackware64 15 iso.

Although, I will do a reinstall and carefully document what I will do.

Marco Moock

2023-12-27 11:52:19 UTC

Permalink

Post by Marco Moock
Although, I will do a reinstall and carefully document what I will do.

I now only unselected KDE, kernel sources and Xfce.

Now it works, he LE certs seems to be there and slackpkg works.

noel

2023-12-27 22:54:00 UTC

Permalink

Post by Marco Moock

Post by Marco Moock
Although, I will do a reinstall and carefully document what I will do.

I now only unselected KDE, kernel sources and Xfce.
Now it works, he LE certs seems to be there and slackpkg works.

LE certs works out of the box on slackware even back to 14.0, not sure
whats wrong with your orginal install, make sure you apply all updates,
since 15.0 was sadly now released 6 weeks short of 2 years ago the
defaults are rather dated, but I suspect somthing else in your install
went haywire.

In the future try update-ca-certificates although this is not
needed if you apply updates via slackpkg upgrade-all

noel

2023-12-27 23:21:52 UTC

Permalink

Post by Marco Moock
For example I didn't select Xfce nor KDE desktop.

To give you a hint (slackpkg templates are too big to post on usenet),
but on servers my /etc/slackpkg/blacklist file is (to avoid being
installed even with install-new etc...

# don't mess with customs sbo's
[0-9]+_SBo

# if you install GUI on servers, update your resume, you'll be needing it
kde/
xap/
x/
xfce/

# use the cleaner acme.sh instead
dehydrated

# excluded: regardless of server type we build our own custom daemons
# see /netops/servers/builds for./configure's on the daemon type you need
postfix
mariadb
dovecot
httpd
apr
apr-util
php

# other stuff we don't want on servers
wireless_tools
farstream
dvdauthor
gst-plugins-libav
phonon-backend-gstreamer
openresolv
gtk4
gnome-themes-extra
ffmpeg
openldap

(libs may still drag in some Xlibs stuff in normal libs section which is
unavoidable - some peple say it doesnt matter the packages are tiny, what
they dont get is the size is not the issue, every extra library available
that can be included in a ./configure introduces an extra exploit risk
possibility)

noel

2023-12-27 23:29:39 UTC

Permalink

Big warning - dont blindly copy/paste from my blacklist below, "pan"
seems to have messed up my copy/paste big time when I clicked send, but
it gives you an idea....

Post by noel

Post by Marco Moock
For example I didn't select Xfce nor KDE desktop.

To give you a hint (slackpkg templates are too big to post on usenet),
but on servers my /etc/slackpkg/blacklist file is (to avoid being
installed even with install-new etc...
# don't mess with customs sbo's [0-9]+_SBo
# if you install GUI on servers, update your resume, you'll be needing
it kde/
xap/
x/
xfce/
# use the cleaner acme.sh instead dehydrated
# excluded: regardless of server type we build our own custom daemons #
see /netops/servers/builds for./configure's on the daemon type you need
postfix mariadb dovecot httpd apr apr-util php
# other stuff we don't want on servers wireless_tools farstream
dvdauthor gst-plugins-libav phonon-backend-gstreamer openresolv gtk4
gnome-themes-extra ffmpeg openldap
(libs may still drag in some Xlibs stuff in normal libs section which is
unavoidable - some peple say it doesnt matter the packages are tiny,
what they dont get is the size is not the issue, every extra library
available that can be included in a ./configure introduces an extra
exploit risk possibility)