I am having small initramfs with static busybox into it. The sole purpose of this initramfs is to download/upload files to the HTTPS server. I have the proper certificate and credentials to do so. But when I execute the command: curl --cacert /tmp/filename.pem -T /tmp/file_to_upload -u user:pass https://Server_name/ I greeted with an error: curl: (60) SSL certificate problem: unable to get local issuer certificate If I use the same command with same certificate onto Ubuntu, then everything goes smooth. How am I suppose to resolve this issue ? **EDIT:** I do not want to use "-k" or "--insecure" switch **NOTE:** I do not have openssl or /etc/ssl directory into initramfs

When connecting to a WPA Enterprise access point, operating systems like iOS and macOS display the server certificate to the user if it has not been seen before. However, on Linux, using wpa_supplicant, this prompt does not appear. I have configured wpa_supplicant using a .conf file, but I do not get the server certificate. Is there any way to obtain the certificate when connecting to the AP on linux? This is one of the configurations I have used: network={ ssid="ssid" key_mgmt=WPA-EAP eap=PEAP identity="your.username@example.com" password="yourpassword" phase1="peapver=0" phase2="auth=MSCHAPV2" ca_cert="/etc/ssl/certs/your_CA_cert.pem" } And the usage of wpa_supplicant: sudo wpa_supplicant -i wlan0 -c /etc/tmp/network.conf -D nl80211 -dd

I run dovecot and Postfix and lets encrypt.
When I ssh into my postfix and run openssl for check mail such as:
openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E5 verify return:1 depth=0 CN = pahlevanzadeh.org verify return:1 --- Certificate chain 0 s:CN = pahlevanzadeh.org i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6 BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u 8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU +Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb LWQL -----END CERTIFICATE----- subject=CN = pahlevanzadeh.org issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2410 bytes and written 408 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: DD436BF44CDC6F2C7046EC7A42DE9A97EA379E51902323A34A009F4539FF1B5C Session-ID-ctx: Resumption PSK: C056509B8FCB34CAB041316D294F993D21093841461563833DF5DDC59682FDF8E50A040AF00089B164278E15075BD0BC PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 72 06 8e a4 63 84 11 12-1d 78 ff 11 5f 40 ef d0 r...c....x.._@.. 0010 - 38 3b 02 93 5c e9 ae 5f-bd 74 b4 42 6b 9b 01 cd 8;..\.._.t.Bk... 0020 - e2 05 85 33 55 1b 6f e7-a1 bb 5b f6 fb 95 25 af ...3U.o...[...%. 0030 - a9 1d f3 79 c8 5d b6 10-04 fa ee 5b bf ac c7 bb ...y.].....[.... 0040 - e7 39 5a 49 c3 e4 b1 2d-0d a9 fe cf 5f 18 01 76 .9ZI...-...._..v 0050 - f0 74 31 51 94 36 b8 0f-70 5e 35 8e b4 fc 4a 25 .t1Q.6..p^5...J% 0060 - 75 bc 6e b6 6d 02 2e a1-63 13 a8 ae aa 21 5e 14 u.n.m...c....!^. 0070 - 9e a7 94 95 6f ac 4d df-bb 9b 0d 3a ba a6 37 3a ....o.M....:..7: 0080 - 09 59 26 a9 62 89 e0 f5-4a da 76 8d 41 f9 70 02 .Y&.b...J.v.A.p. 0090 - b6 0c bf 56 76 1a a7 99-a0 86 1c e0 e3 55 7f 2b ...Vv........U.+ 00a0 - 2b 70 b7 ae d3 dd c2 67-fb 2d 61 c3 f7 2f 6f bb +p.....g.-a../o. 00b0 - c0 76 7c a6 16 de 05 3c-16 e3 2a 26 75 30 17 54 .v|..........5.. 0060 - ba 5b 12 2b ff 44 0e e7-52 7a c7 42 5a f1 71 27 .[.+.D..Rz.BZ.q' 0070 - b4 bb d0 44 fe da 63 cf-e4 4e 4d d7 50 1f 09 55 ...D..c..NM.P..U 0080 - ac 92 b1 11 02 63 0d 12-e4 51 13 2c db a9 e8 7e .....c...Q.,...~ 0090 - 54 72 7c eb 35 b9 36 d3-05 7a e6 df 44 b6 7c 78 Tr|.5.6..z..D.|x 00a0 - c3 74 d6 ac 04 a4 9a 6d-6c 46 df 34 80 e0 8f ce .t.....mlF.4.... 00b0 - 52 39 2f 37 ec 43 8c 65-f2 29 d3 7d c0 4d c3 02 R9/7.C.e.).}.M.. 00c0 - a8 fc a5 4d c4 55 77 31-34 20 e5 4a d8 10 95 c6 ...M.Uw14 .J.... 00d0 - a5 25 c3 57 d6 92 df 7a-b7 e3 90 ce 8b 99 e7 8c .%.W...z........ Start Time: 1751891526 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK +OK MDA server ready. It means everything is okey and ready to get USER , PASS and another verbs of POP3 protocol.
In machine B : mohsen@m:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 40772B28757F0000:error:8000006E:system library:BIO_connect:Connection timed out:../crypto/bio/bio_sock2.c:114:calling connect() 40772B28757F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:116: connect:errno=110 And in machine C: mohsen@debian:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 Connecting to 54.37.192.44 CONNECTED(00000003) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=E5 verify return:1 depth=0 CN=pahlevanzadeh.org verify return:1 --- Certificate chain 0 s:CN=pahlevanzadeh.org i:C=US, O=Let's Encrypt, CN=E5 a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384 v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT 1 s:C=US, O=Let's Encrypt, CN=E5 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6 BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u 8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU +Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb LWQL -----END CERTIFICATE----- subject=CN=pahlevanzadeh.org issuer=C=US, O=Let's Encrypt, CN=E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ecdsa_secp256r1_sha256 Peer Temp Key: X25519, 253 bits --- SSL handshake has read 2409 bytes and written 1644 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- I have 2 serious question:
1. Why I have 2 result in 2 machine B and C? 2. Why I can't connect to mail.pahlevanzadeh.org from machine C completely?

I try to automate to adding a certificate on an Ubuntu server 14.04 with puppet or a one liner command. I added certificates manually with these commands : mkdir /usr/share/ca-certificates/extra cp toto.crt /usr/share/ca-certificates/extra/toto.crt sudo dpkg-reconfigure ca-certificates I tried the command : update-ca-certificates but it didn't update my /etc/ssl/certs/ca-certificates.crt. I tried too the command : sudo dpkg-reconfigure ca-certificates (with and without the option -f noninteractive) but i can't to accept all my certificates automatically.

I need to access some webpage for which the TLS certificate is invalid, but lynx refuses to connect. Is there an option similar to curl -k for lynx? Here's config file as request .h1 Auxiliary Facilities .h2 INCLUDE .ex .ex .h2 STARTFILE .ex .h2 HELPFILE .url http://lynx.isc.org/release/breakout/lynx_help/lynx_help_main.html .ex HELPFILE:file://localhost/usr/share/doc/lynx-cur/lynx_help/lynx_help_main.html.gz .h2 DEFAULT_INDEX_FILE DEFAULT_INDEX_FILE:http://scout.wisc.edu/ .h1 Interaction .h2 GOTOBUFFER .h2 JUMP_PROMPT .h1 Auxiliary Facilities .h2 JUMPFILE .ex .h2 JUMPBUFFER .h1 Internal Behavior .h2 SAVE_SPACE .h2 REUSE_TEMPFILES .h2 LYNX_HOST_NAME .h2 LOCALHOST_ALIAS .ex 2 .h2 LOCAL_DOMAIN .h1 Session support .h2 AUTO_SESSION .h2 SESSION_FILE .h2 SESSION_LIMIT .h1 Character Sets .h2 CHARACTER_SET .nf .fi .url http://tools.ietf.org/html/rfc1345 CHARACTER_SET:iso-8859-1 .h2 LOCALE_CHARSET LOCALE_CHARSET:TRUE .h2 HTML5_CHARSETS .h2 ASSUME_CHARSET .h2 ASSUMED_DOC_CHARSET_CHOICE .h2 DISPLAY_CHARSET_CHOICE .ex .ex 4 .h2 ASSUME_LOCAL_CHARSET .h2 PREPEND_CHARSET_TO_SOURCE PREPEND_CHARSET_TO_SOURCE:FALSE .h2 NCR_IN_BOOKMARKS .h2 FORCE_8BIT_TOUPPER .h2 OUTGOING_MAIL_CHARSET .h2 ASSUME_UNREC_CHARSET .h2 PREFERRED_LANGUAGE PREFERRED_LANGUAGE:en .h2 PREFERRED_CHARSET .url http://tools.ietf.org/html/rfc2068 .h2 CHARSETS_DIRECTORY .h2 CHARSET_SWITCH_RULES .h1 Interaction .h2 URL_DOMAIN_PREFIXES .h2 URL_DOMAIN_SUFFIXES .h2 FORMS_OPTIONS .h2 PARTIAL .h2 PARTIAL_THRES .h2 SHOW_KB_RATE .h2 SHOW_KB_NAME .url http://www.romulus2.com/articles/guides/misc/bitsbytes.shtml .h1 Timeouts .h2 INFOSECS .h2 MESSAGESECS .h2 ALERTSECS .h2 NO_PAUSE .h2 DEBUGSECS .h2 REPLAYSECS .h1 Appearance .h2 USE_SELECT_POPUPS .h2 SHOW_CURSOR SHOW_CURSOR:TRUE .h2 UNDERLINE_LINKS .h2 BOLD_HEADERS .h2 BOLD_H1 .h2 BOLD_NAME_ANCHORS .h1 Internal Behavior .h2 DEFAULT_CACHE_SIZE .h2 DEFAULT_VIRTUAL_MEMORY_SIZE .h2 SOURCE_CACHE .h2 SOURCE_CACHE_FOR_ABORTED .h2 ALWAYS_RESUBMIT_POSTS .h2 TRIM_INPUT_FIELDS .h1 HTML Parsing .h2 NO_ISMAP_IF_USEMAP .h2 SEEK_FRAG_MAP_IN_CUR .h2 SEEK_FRAG_AREA_IN_CUR .h1 CGI scripts .h2 LOCAL_EXECUTION_LINKS_ALWAYS_ON .h2 LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE .h2 TRUSTED_EXEC TRUSTED_EXEC:none .h2 ALWAYS_TRUSTED_EXEC ALWAYS_TRUSTED_EXEC:none .h2 TRUSTED_LYNXCGI TRUSTED_LYNXCGI:none .h2 LYNXCGI_ENVIRONMENT .h2 LYNXCGI_DOCUMENT_ROOT .h1 Cookies .h2 FORCE_SSL_COOKIES_SECURE .h1 Internal Behavior .h2 MAIL_SYSTEM_ERROR_LOGGING .h2 CHECKMAIL .h1 News-groups .h2 NNTPSERVER .url http://tools.ietf.org/html/rfc1738 .h2 LIST_NEWS_NUMBERS .h2 LIST_NEWS_DATES .h2 NEWS_CHUNK_SIZE .h2 NEWS_MAX_CHUNK .h2 NEWS_POSTING .h2 LYNX_SIG_FILE .h1 Bibliographic Protocol (bibp scheme) .h2 BIBP_GLOBAL_SERVER .h2 BIBP_BIBHOST .h1 Interaction .h2 SCROLLBAR .h2 SCROLLBAR_ARROW .h2 USE_MOUSE .h1 HTML Parsing .h2 COLLAPSE_BR_TAGS .h2 TAGSOUP .h1 Cookies .h2 SET_COOKIES .h2 ACCEPT_ALL_COOKIES .h2 COOKIE_ACCEPT_DOMAINS .h2 COOKIE_REJECT_DOMAINS .h2 COOKIE_LOOSE_INVALID_DOMAINS .h2 COOKIE_STRICT_INVALID_DOMAINS .h2 COOKIE_QUERY_INVALID_DOMAINS .h2 MAX_COOKIES_DOMAIN .h2 MAX_COOKIES_GLOBAL .h2 MAX_COOKIES_BUFFER .h2 PERSISTENT_COOKIES PERSISTENT_COOKIES:FALSE .h2 COOKIE_FILE .h2 COOKIE_SAVE_FILE .h1 Mail-related .h2 SYSTEM_MAIL .h2 SYSTEM_MAIL_FLAGS .ex 2 .ex 2 .ex 2 .ex 2 .ex 2 .url http://lynx.isc.org/lynx-2.8.1/lynx_w32.zip .url ftp://lynx.isc.org/lynx-2.8.1/lynx_w32.zip .url http://glob.com.au/sendmail/ .h2 MAIL_ADRS .h2 USE_FIXED_RECORDS .h1 Keyboard Input .h2 VI_KEYS_ALWAYS_ON .h2 EMACS_KEYS_ALWAYS_ON .h2 DEFAULT_KEYPAD_MODE .h2 NUMBER_LINKS_ON_LEFT .h2 NUMBER_FIELDS_ON_LEFT .h2 DEFAULT_KEYPAD_MODE_IS_NUMBERS_AS_ARROWS .h2 CASE_SENSITIVE_ALWAYS_ON .h1 Auxiliary Facilities .h2 DEFAULT_BOOKMARK_FILE .h2 MULTI_BOOKMARK_SUPPORT .h2 BLOCK_MULTI_BOOKMARKS .h1 Interaction .h2 DEFAULT_USER_MODE .h1 External Programs .h2 DEFAULT_EDITOR .h2 SYSTEM_EDITOR .h3 POSITIONABLE_EDITOR .h1 Proxy .h2 HTTP_PROXY .h2 HTTPS_PROXY .h2 FTP_PROXY .h2 GOPHER_PROXY .h2 NEWSPOST_PROXY .h2 NEWSREPLY_PROXY .h2 NEWS_PROXY .h2 NNTP_PROXY .h2 SNEWSPOST_PROXY .h2 SNEWSREPLY_PROXY .h2 SNEWS_PROXY .h2 WAIS_PROXY .h2 FINGER_PROXY .h2 CSO_PROXY .ex 15 .h2 NO_PROXY .ex .ex .h1 External Programs .h2 PRINTER .h2 DOWNLOADER .h2 UPLOADER .ex 3 .ex .ex .ex .ex .ex .ex .ex .ex 2 .ex .h1 Interaction .h2 NO_DOT_FILES NO_DOT_FILES:FALSE .h1 Internal Behavior .h2 NO_FROM_HEADER .h2 NO_REFERER_HEADER .h1 Internal Behavior .h2 NO_FILE_REFERER .h2 REFERER_WITH_QUERY .h1 Appearance .h2 VERBOSE_IMAGES .h2 MAKE_LINKS_FOR_ALL_IMAGES .h2 MAKE_PSEUDO_ALTS_FOR_INLINES .h2 SUBSTITUTE_UNDERSCORES .h1 Interaction .h2 QUIT_DEFAULT_YES .h1 HTML Parsing .h2 HISTORICAL_COMMENTS .h2 MINIMAL_COMMENTS MINIMAL_COMMENTS:TRUE .h2 SOFT_DQUOTES .h2 STRIP_DOTDOT_URLS .h1 Appearance .h2 ENABLE_SCROLLBACK .h2 SCAN_FOR_BURIED_NEWS_REFS .h2 PREPEND_BASE_TO_SOURCE .h1 External Programs .h2 GLOBAL_EXTENSION_MAP .h2 PERSONAL_EXTENSION_MAP GLOBAL_EXTENSION_MAP:/etc/mime.types PERSONAL_EXTENSION_MAP:.mime.types .h2 SUFFIX_ORDER .h2 SUFFIX .ex .ex .ex .ex .ex 29 SUFFIX:.tgz:application/octet-stream SUFFIX:.deb:application/octet-stream .h2 XLOADIMAGE_COMMAND .h2 VIEWER .ex 7 .h2 GLOBAL_MAILCAP .h2 PERSONAL_MAILCAP .url http://tools.ietf.org/html/rfc1524 GLOBAL_MAILCAP:/etc/mailcap PERSONAL_MAILCAP:.mailcap .h2 PREFERRED_MEDIA_TYPES .h2 PREFERRED_ENCODING .h1 Keyboard Input .h2 KEYBOARD_LAYOUT .h2 KEYMAP .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .h1 External Programs .h2 CSWING_PATH .h1 Internal Behavior .h2 AUTO_UNCACHE_DIRLISTS .h1 Appearance .h2 LIST_FORMAT .nf .fi .ex .ex .ex .h1 External Programs .h2 DIRED_MENU .nf .fi .h1 Internal Behavior .h2 NONRESTARTING_SIGWINCH .h2 NO_FORCED_CORE_DUMP .h1 Appearance .h2 COLOR .nf .fi COLOR:6:brightred:black .h2 COLOR_STYLE .h2 NESTED_TABLES .h2 ASSUMED_COLOR .h2 DEFAULT_COLORS .h1 External Programs .h2 EXTERNAL .h2 EXTERNAL_MENU .ex 1 .h1 Internal Behavior .h2 RULE .h2 RULESFILE .ex 5 .h1 Appearance .h2 PRETTYSRC .h2 PRETTYSRC_SPEC .nf .fi .ex .ex .ex .h2 HTMLSRC_ATTRNAME_XFORM .h2 HTMLSRC_TAGNAME_XFORM .h2 PRETTYSRC_VIEW_NO_ANCHOR_NUMBERING .h1 HTML Parsing .h2 FORCE_EMPTY_HREFLESS_A .h2 HIDDEN_LINK_MARKER .h2 XHTML_PARSING .h1 Appearance .h2 JUSTIFY .h2 JUSTIFY_MAX_VOID_PERCENT .h1 Interaction .h2 TEXTFIELDS_NEED_ACTIVATION .h2 LEFTARROW_IN_TEXTFIELD_PROMPT .h1 Timeouts .h2 CONNECT_TIMEOUT .h2 READ_TIMEOUT .h1 Internal Behavior .h2 FTP_PASSIVE .h2 ENABLE_LYNXRC .nf .fi .h1 External Programs .h2 BZIP2_PATH .h2 CHMOD_PATH .h2 COMPRESS_PATH .h2 COPY_PATH .h2 GZIP_PATH .h2 INFLATE_PATH .h2 INSTALL_PATH .h2 MKDIR_PATH .h2 MV_PATH .h2 RLOGIN_PATH .h2 RMDIR_PATH .h2 RM_PATH .h2 SETFONT_PATH .h2 TAR_PATH .h2 TELNET_PATH .h2 TN3270_PATH .h2 TOUCH_PATH .h2 UNCOMPRESS_PATH .h2 UNZIP_PATH .h2 UUDECODE_PATH .h2 ZCAT_PATH .h2 ZIP_PATH .h1 Interaction .h2 FORCE_SSL_PROMPT .h2 FORCE_COOKIE_PROMPT .h2 SSL_CERT_FILE SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt .h1 Appearance .h2 SCREEN_SIZE .h2 NO_MARGINS .h2 NO_TITLE .h1 External Programs .h2 SYSLOG_REQUESTED_URLS SYSLOG_REQUESTED_URLS:FALSE .h2 SYSLOG_TEXT .h1 Internal Behavior .h2 BROKEN_FTP_RETR .h2 BROKEN_FTP_EPSV .h1 Appearance .h2 FTP_FORMAT .h1 Internal Behavior .h2 STATUS_BUFFER_SIZE .h2 MAX_URI_SIZE .h1 Appearance .h2 UNIQUE_URLS .h1 Character Sets .h2 MESSAGE_LANGUAGE .h2 CONV_JISX0201KANA .h1 External Programs .h2 WAIT_VIEWER_TERMINATION .h1 Mail-related .h2 BLAT_MAIL .url http://www.blat.net .h2 ALT_BLAT_MAIL .url http://www.piedey.co.jp/blatj/ .h1 Internal Behavior .h2 TRACK_INTERNAL_LINKS EXTERNAL:ftp:w3m %s:TRUE EXTERNAL:file:w3m %s:TRUE EXTERNAL:http:w3m %s:TRUE EXTERNAL:http:wget %s:TRUE EXTERNAL:http:wget -r %s:TRUE EXTERNAL:ftp:x-www-browser %s:TRUE EXTERNAL:file:x-www-browser %s:TRUE EXTERNAL:http:x-www-browser %s:TRUE INCLUDE:/etc/lynx-cur/local.cfg INCLUDE:~/.lynx/colors:COLOR INCLUDE:~/.lynx/keymap:KEYMAP INCLUDE:~/.lynx/viewers:VIEWER INCLUDE:~/.lynx/external:EXTERNAL Complete file (with comments) can be found [here](https://clbin.com/hxB4N)

I want to generate a self-signed certificate with SHA256 or SHA512, but I have problems with it. I have created a script, which should does this automatically: #!/bin/bash set -e echo "WORKSPACE: $WORKSPACE" SSL_DIR=$(pwd)/httpd_ssl_certs OPENSSL_CNF=$(pwd)/openssl.cnf if [ -d "$SSL_DIR" ]; then rm -rvf "$SSL_DIR" fi mkdir -vp "$SSL_DIR" pushd "$SSL_DIR" # check if openssl.cnf exists if [ ! -f "$OPENSSL_CNF" ]; then echo "Could not find $OPENSSL_CNF. Build will be exited." exit 1 fi echo " - create private key" openssl genrsa -out server.key.template 2048 echo " - create signing request" openssl req -nodes -new -sha256 -config $OPENSSL_CNF -key server.key.template -out server.csr.template echo " - create certificate" openssl x509 -req -in server.csr.template -signkey server.key.template -out server.crt.template -extfile $OPENSSL_CNF And I have a openssl.cnf file with configuration for it: [ ca ] default_ca = CA_default [ CA_default ] # how long to certify default_days = 365 # how long before next CRL default_crl_days = 30 # use public key default MD default_md = sha256 # keep passed DN ordering preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ req ] default_bits = 2048 default_keyfile = server.key.template distinguished_name = req_distinguished_name prompt = no encrypt_key = no # add default_md to [ req ] for creating certificates with SHA256 default_md = sha256 [ req_distinguished_name ] countryName = "AB" stateOrProvinceName = "CD" localityName = "Some town" organizationName = "XXX Y" organizationalUnitName = "XXX Y" commonName = "localhost" emailAddress = "somemail@some.org" When I run the script with this openssl.cnf, then I get a certifiacte, but this certificate is always encrypted with SHA1. I checked it with this command: openssl x509 -in server.crt.template -text -noout | grep 'Signature. I always get this output: Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption Can someone give me a hint, whats false there?

I'm trying to import .p12 certificate into the keychain on my mac via bash script. So far, I've been trying: 1. sudo security import command. It returns that import was successful but, in fact, it never gets imported into any keychain. 2. sudo security add-certificates -k /Library/Keychains/System.keychain certificate.p12 it throws the following error: Password: SecCertificateCreateFromData: Unknown format in import. The only thing that worked for me was the .cer format via this command: sudo security add-certificates -k /Library/Keychains/System.keychain certificate.cer. It does import the certificate into the keychain and I can see it in the keychain access. But I only have .p12 certificates. Could anyone help me with that one, please?

i have followed posts on Network Manager looping to connect to enterprise networks and coming back again and again asking for logon/password. the answer seems to be to use wpa_supplicant. i did a log file extract to confirm the process and got ...supplicant interface state: disconnected -> interface_disabled... there is a directory at /etc/wpa_supplicant, but there is no wpa_supplicant config file. the only files listed are action_wpa.sh functions.sh ifupdown.sh i guess that there are a few things i need to do? some perspective here: i am just trying to learn python, using an excellent on-line course from 'degreed' at work and doing the exercises on an old 32bit laptop running mx-linux and a compatible 32bit version of PyCharm Community Edition. my knowledge of network stuff can't fill the bottom of a thimble. so feel free to assume i haven't found the beginning of the string on this issue with logging in. any suggestions at starting points would be appreciated. thanks, ron ron@9-LPTOP:~ $ sudo journalctl -fu NetworkManager [sudo] password for ron: -- Journal begins at Tue 2023-01-24 14:43:06 EST. -- Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.0956] device (wlan0): supplicant interface state: disconnected -> interface_disabled Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.0957] modem-manager: ModemManager no longer available Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.1027] device (wlan0): supplicant interface state: interface_disabled -> disconnected Jan 24 14:55:54 9-LPTOP systemd: Stopping Network Manager... Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5312] caught SIGTERM, shutting down normally. Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5338] device (wlan0): state change: disconnected -> unmanaged (reason 'unmanaged', sys-iface-state: 'managed') Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.5468] device (wlan0): set-hw-addr: reset MAC address to 00:19:D2:05:A7:9D (unmanage) Jan 24 14:55:54 9-LPTOP NetworkManager: [1674590154.6549] exiting (success) Jan 24 14:55:54 9-LPTOP systemd: NetworkManager.service: Succeeded. Jan 24 14:55:54 9-LPTOP systemd: Stopped Network Manager.

I installed my first distro: Void Linux, the version without any desktop environment. I got my wifi to work and the package manager (xbps) worked fine; I installed things like htop, i3, etc without problem. I booted my PC today and wanted to install git. sudo xbps-install -S git The same holds for any install command, such as: sudo xbps-install -Su I have the same problem in root or as a normal user. It says: Updating (some url) ... Certificate verification failed for (some other url) SSL_connect returned 1 ERROR: failed to fetch file (url of first line): Operation not permitted. I did not change anything since yesterday, when it worked fine. I only found this on google: https://github.com/voidlinux/void-packages/issues/14465 https://github.com/voidlinux/xbps/issues/224 For the first link, I do not have xtools and I do not have this file: /var/cache/xbps/ca-certificates-20170717_2.noarch.xbps so I cannot copy it. For the second link: sudo update-ca-certificates did not fix anything. It says: 0 added, 0 removed; Done. I tried using another repo mirror but it doesn't seem to recognise those. I use https://alpha.de.repo.voidlinux.org/current I don't know what to do from this point.

I am trying to install elasticsearch on Ubuntu 20.04, but I am getting the following error:

home@VirtualBox$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch  | sudo apt-key add -
gpg: no valid OpenPGP data found.

I also tried the following with no luck:

VirtualBox:~$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch  -O mykey
VirtualBox:~$ sudo apt-key add <<< mykey
[sudo] password for VirtualBox: 
gpg: no valid OpenPGP data found.

I already updated Ubuntu packages:

sudo apt-get update

How could I solve this issue? Thanks in advance

I am routing a Linux machine through a SOCKS5 proxy. The internet works as expected and I am presented with the proxy's IP when viewing http://whatismyip.com . However, some sites are reporting that I am experiencing a MITM attack: > Software is Preventing Firefox From Safely Connecting to This Site > > www.mozilla.org is most likely a safe site, but a secure connection > could not be established. This issue is caused by DigiCert Global Root > CA, which is either software on your computer or your network. > > What can you do about it? > > www.mozilla.org has a security policy called HTTP Strict Transport > Security (HSTS), which means that Firefox can only connect to it > securely. You can’t add an exception to visit this site. > > If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can > disable that feature. If that doesn’t work, you can remove and > reinstall the antivirus software. > * If you are on a corporate network, you can contact your IT department. > * If you are not familiar with DigiCert Global Root CA, then this could be an attack, and there is nothing you can do to access the > site. https://www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=support.mozilla.org Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate. HTTP Strict Transport Security: true HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIGRjCCBS6gAwIBAgIQDJduPkI49CDWPd+G7+u6kDANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTA1MDAwMDAwWhcN MTkxMTEzMTIwMDAwWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoTE01vemlsbGEgQ29y cG9yYXRpb24xDzANBgNVBAsTBldlYk9wczEYMBYGA1UEAxMPd3d3Lm1vemlsbGEu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKruymkkmkqCJh7Q jmXlUOBcLFRyw5LG/vUUWVrsxC2gsbR8WJq+cYoYBpoNVStKrO4U2rBh1GEbccvT 6qKOQI+pjjDxx9cmRdubGTGp8L0MF1ohVvhIvYLumOEoRDDPU4PvGJjGhek/ojve dPWe8dhciHkxOC2qPFZvVFMwg1/o/b80147BwZQmzB18mnHsmcyKlpsCN8pxw86u ao9Iun8gZQrsllW64rTZlRR56pHdAcuGAoZjYZxwS9Z+lvrSjEgrddemWyGGalqy Fp1rXlVM1Tf4/IYWAQXTgTUN303u3xMjss7QK7eUDsACRxiWPLW9XQDd1c+yvaYJ KzgJ2wIDAQABo4IC6TCCAuUwHwYDVR0jBBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG 2eIwHQYDVR0OBBYEFNpSvSGcN2VT/B9TdQ8eXwebo60/MCcGA1UdEQQgMB6CD3d3 dy5tb3ppbGxhLm9yZ4ILbW96aWxsYS5vcmcwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRw Oi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0 cDovL2NybDQuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUw QzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNl cnQuY29tL0NQUzAIBgZngQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9j YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5j cnQwDAYDVR0TAQH/BAIwADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AKS5CZC0 GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABZuYWiHwAAAQDAEYwRAIgZnMS H1JdG6NASHWTwD0mlP/zbr0hzP263c02Ym0DU64CIEe4QHJDP47j0b6oTFu6RrZz 1NQ9cq8Az1KnMKRuaFAlAHUAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16g gw8AAAFm5haJAgAABAMARjBEAiAxGLXkUaOAkZhXNeNR3pWyahZeKmSaMXadgu18 SfK1ZAIgKtwu5eGxK76rgaszLCZ9edBIjuU0DKorzPUuxUXFY0QwDQYJKoZIhvcN AQELBQADggEBAKLJAFO3wuaP5MM/ed1lhk5Uc2aDokhcM7XyvdhEKSHbgPhcgMoT 9YIVoPa70gNC6KHcwoXu0g8wt7X6Vm1ql/68G5q844kFuC6JPl4LVT9mciD+VW6b HUSXD9xifL9DqdJ0Ic0SllTlM+oq5aAeOxUQGXhXIqj6fSQv9fQN6mXxQIoc/gjx teskq/Vl8YmY1FIZP9Bh7g27kxZ9GAAGQtjTL03RzKAuSg6yeImYVdQWasc7UPnB XlRAzZ8+OJThUbzK16a2CI3Rg4agKSJk+uA47h1/ImmngpFLRb/MvRX6H1oWcUuy H6O7PZdl0YpwTpw1THIuqCGl/wpPgyQgcTM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END CERTIFICATE----- How do I alleviate this error so that I can access these sites? Do I need to accept some certificate on my local machine or on the proxy?

I recently upgraded my Ubuntu to 18.04, and now my Remmina cannot connect to a windows server we use at work. Now I am getting a popup about certificates. It asks if I want to accept the certificate, I click OK and then get a message saying unable to connect. I am getting this error on the command line: [14:49:19:412] [7223:7537] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr [14:49:19:412] [7223:7537] [INFO][com.freerdp.client.common.cmdline] - loading channelEx drdynvc [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @ [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - The hostname used for this connection (xxxxx:3389) [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate: [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - Common Name (CN): [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - EC2AMAZ-FM25IO2 [14:49:19:909] [7223:7537] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted! [14:50:38:624] [7223:7537] [ERROR][com.freerdp.crypto] - certificate not trusted, aborting. [14:50:38:624] [7223:7537] [ERROR][com.freerdp.core] - freerdp_set_last_error ERRCONNECT_CONNECT_CANCELLED [0x0002000B] [14:50:38:624] [7223:7537] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure 0002000B 00000003 Now this is an internal vpn server so I don't care at all about certificates. Is there a way to add this certificate to a list that it's ok? How do I get around this? And as an aside, this was working before the upgrade just fine. I don't know why it cares now?

## RHEL 9 VM Exported from Internal Network Cannot Verify SSL Certificates for Updates I'm running into a major issue with a Red Hat Enterprise Linux 9 VM that was originally exported from my company's internal infrastructure. I'm now using this VM on a standard public internet connection, and I'm unable to perform basic operations like dnf update due to SSL certificate verification errors. --- ### **Problem** Running dnf update results in the following:

Updating Subscription Management repositories.
This system is registered with an entitlement server, but is not receiving updates.

Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)       
Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':
  - Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml  
    [error setting certificate file: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem]
Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': 
  Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?)

Trying to run subscription-manager identity shows:

Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1147)

--- ### **What I’ve Tried** 1. **Checked System Time** - Verified with date and timedatectl. Time *seems* off, which may be contributing to the SSL issue. - Tried enabling NTP with:

systemctl enable chronyd --now

But it fails, saying:

Failed to enable unit: Unit file chronyd.service does not exist.

- I cannot install chrony because dnf is broken due to the SSL certificate issue. 2. **Checked CA Certificate Files** - Ran:

find /etc/pki -type f \( -name "*.crt" -o -name "*.cert" \)

**No certificate files were found.** 3. **Compared to Fresh RHEL 9 Install** - A clean RHEL 9 VM (registered with the same Red Hat account) works fine and has many cert files in /etc/pki/ca-trust/. 4. **Reinstall CA Certificates** - Ran:

sudo dnf reinstall ca-certificates
     sudo update-ca-trust extract

But no certs appeared, and the issue remains. 5. **Checked Proxy Config** - No proxies in /etc/environment, /etc/profile, shell dotfiles, or subscription-manager:

subscription-manager config --remove=server.proxy_hostname
     subscription-manager config --remove=server.proxy_port

--- ### **Context** This VM was managed internally and likely used internal CAs or custom proxy settings. Now that it’s on a public network, it appears unable to verify standard SSL certificates, and it’s missing all cert files in /etc/pki. --- ### **Question** What could explain the complete absence of certificate files in /etc/pki, and how can I restore them without access to dnf or a working package manager? Is there a manual way to recover basic system certificates or sync time so that SSL works again? Or is this VM likely too locked into internal infrastructure to be recovered for public use? Any help would be greatly appreciated! (I really need to fix this issue they blame me)

I'm having a problem with an SSL Certificate. I was using a Let's Encrypt certificate and everything was fine. I'm trying to switch to a certificate issued from DigiCert, and can't seem to get it working again. Httpd will not start. Would appreciate any feedback, observations, questions etc to point me in the right direction. #systemctl restart httpd.service

Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

$journalctl -xeu httpd.service

Jun 14 16:30:01 www systemd: Starting The Apache HTTP Server...
░░ Subject: A start job for unit httpd.service has begun execution
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support 
░░
░░ A start job for unit httpd.service has begun execution.
░░
░░ The job identifier is 35150873.
Jun 14 16:30:01 www systemd: httpd.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support 
░░
░░ An ExecStart= process belonging to unit httpd.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 14 16:30:01 www systemd: httpd.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support 
░░
░░ The unit httpd.service has entered the 'failed' state with result 'exit-code'.
Jun 14 16:30:01 www systemd: Failed to start The Apache HTTP Server.
░░ Subject: A start job for unit httpd.service has failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support 
░░
░░ A start job for unit httpd.service has finished with a failure.
░░
░░ The job identifier is 35150873 and the job result is failed.

$systemctl status httpd.service

× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/httpd.service.d
             └─php-fpm.conf
     Active: failed (Result: exit-code) since Wed 2023-06-14 16:10:08 EDT; 6s ago
   Duration: 23h 48min 30.301s
       Docs: man:httpd.service(8)
    Process: 3216240 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 3216240 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
        CPU: 39ms

Jun 14 16:10:08 www systemd: Starting The Apache HTTP Server...
Jun 14 16:10:08 www systemd: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jun 14 16:10:08 www systemd: httpd.service: Failed with result 'exit-code'.
Jun 14 16:10:08 www systemd: Failed to start The Apache HTTP Server.

Contents of ssl.conf below:

443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

    SSLOptions +StdEnvVars


    SSLOptions +StdEnvVars


BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ServerName www:443

Contents of mydomain.conf below:

ServerAdmin admin@mydomain.com
  ServerName www.mydomain.com
  ServerAlias mydomain.com
  DocumentRoot /var/www/html/mydomain.com
  
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  
  ErrorLog "logs/error_log_mydomain.com"
  CustomLog "logs/access_log_mydomain.com" combined
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =prod.mydomain.com [OR]
  RewriteCond %{SERVER_NAME} =mydomain.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}  [END,NE,R=permanent]



  ServerName www.mydomain.com
  ServerAlias mydomain.com
  DocumentRoot /var/www/html/mydomain.com
  
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
  

  SSLEngine on

  SSLCertificateFile /etc/pki/tls/certs/prod.mydomain.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/prod.mydomain.com.key
  SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

$http -t

Syntax OK

$cat /var/log/httpd/error_log

[Wed Jun 14 12:36:20.378579 2023] [core:notice] [pid 3210863:tid 3210863] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Jun 14 12:36:20.379481 2023] [suexec:notice] [pid 3210863:tid 3210863] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 14 12:36:20.381647 2023] [ssl:emerg] [pid 3210863:tid 3210863] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
AH00016: Configuration Failed

#cat /var/log/httpd/ssl_error_log

[Wed Jun 14 16:30:01.562719 2023] [core:notice] [pid 3216760:tid 3216760] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Jun 14 16:30:01.563467 2023] [suexec:notice] [pid 3216760:tid 3216760] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 14 16:30:01.565223 2023] [ssl:emerg] [pid 3216760:tid 3216760] AH02572: Failed to configure at least one certificate and key for www:443
[Wed Jun 14 16:30:01.565244 2023] [ssl:emerg] [pid 3216760:tid 3216760] SSL Library Error: error:0A0000B1:SSL routines::no certificate assigned
[Wed Jun 14 16:30:01.565249 2023] [ssl:emerg] [pid 3216760:tid 3216760] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Running

-shellsession
user@nextcloudpi:/$ sudo certbot -d downwind.duckdns.org --manual --preferred-challenges dns certonly~

returned:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.downwind.duckdns.org with the following value:
    
    to8BGF9LfNEOTdZkJAMUYoEd0rROw8Zwa6dumWVBIvA
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Because I am trying to setup cert for DuckDNS, I tried [this](https://www.duckdns.org/update?domains=downwind.duckdns.org&token=MyDuckdnsToken&txt=to8BGF9LfNEOTdZkJAMUYoEd0rROw8Zwa6dumWVBIvA) . I'd like verify that the certificate is operational. Is there a command line test that can be remotely performed? UPDATE === SSL Checker returns: Does the result indicate a successful certificate install?

I am trying to understand how to sign stuff using an intermediate CA certificate. I have developed a rather simple example (using https://gist.github.com/jadbaz/9350f4df4e4ef4c5d256889aa3d5a5ed as the basis, though I removed the configuration file and adjusted some of the commands accordingly)... I would expect the final certificate to be verifiable using either of the 2 CAs that I create during the execuion, but verification fails.... what am I missing:

# root ca
openssl genrsa -out rootca.key 4096
openssl req -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt -subj /CN=rootca

# intermediate ca
openssl genrsa -out interca1.key 4096
openssl req -sha256 -new -key interca1.key -out interca1.csr -subj /CN=intermediateca -addext "basicConstraints=critical,CA:true" -addext "keyUsage=critical,keyCertSign,cRLSign"
openssl x509 -copy_extensions copyall -req -days 365 -in interca1.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out interca1.crt

# verify chain so far
openssl verify -CAfile rootca.crt rootca.crt interca1.crt # both certificates are ok

# generating an example certificate
openssl genrsa -out example1.key 2048
openssl req -new -sha256 -key example1.key -out example1.csr -subj /CN=example1
openssl x509 -copy_extensions copyall -req -days 365 -in example1.csr -CA interca1.crt -CAkey interca1.key -CAcreateserial -out example1.crt

# verify results
openssl verify -CAfile rootca.crt rootca.crt interca1.crt example1.crt
openssl verify -CAfile interca1.crt interca1.crt example1.crt

Here's the output of the last verify runs:

# openssl verify -CAfile rootca.crt rootca.crt interca1.crt example1.crt
rootca.crt: OK
interca1.crt: OK
CN=example1
error 20 at 0 depth lookup: unable to get local issuer certificate
error example1.crt: verification failed
# openssl verify -CAfile interca1.crt interca1.crt example1.crt
CN=intermediateca
error 20 at 0 depth lookup: unable to get local issuer certificate
error interca1.crt: verification failed
CN=intermediateca
error 2 at 1 depth lookup: unable to get issuer certificate
error example1.crt: verification failed

What am I missing? Also, why can't interca1 verify itself the same way that rootca did? I am using openssl 3.2.2. # Update It is not explained in the accepted answer but let me add a command that should work in case you want to try:

$ openssl verify -CAfile <( cat rootca.crt interca1.crt ) rootca.crt interca1.crt example1.crt
rootca.crt: OK
interca1.crt: OK
example1.crt: OK

I have an end-entity/server certificate which have an intermediate and root certificate. When I cat on the end-entity certificate, I see only a single BEGIN and END tag. It is the only the end-entity certificate. Is there any way I can view the intermediate and root certificate content. I need only the content of BEGIN and END tag. In Windows I can see the full cert chain from the "Certification Path". Below is the example for the Stack Exchange's certificate. From there I can perform a *View Certificate* and export them. I can do that for both root and intermediate in Windows. I am looking for this same method in Linux.

I had discovered something funny today. So, I have Kali Linux and I am trying to fully update the system using the repo http://http.kali.org/kali . All is good and well until I get 403 denied for backdoor-factory and mimikatz. At first I thought it was a server configuration error and so ignored it, but then I got curious and decided to pop the URLs into Firefox. Sure enough, my university blocks these specific URLs, but not anything else in the repo. I decided to check out if I could load the URLs in https (yes, I knew it was a long shot as most (afaik) APT servers don't even support https at all) and found out it does work, but only when accepting the certificate for archive-8.kali.org. (yes, I know invalid certs aren't good, but I figured if it is using GPG to check the validity and it uses http with no encryption anyway, then why not). Also, I know I can just use https://archive-8.kali.org/kali in place of the old url and have done so, but the reason I asked about accepting invalid certs is for if this solution of just switching domains is impossible.

Trying to set up a SSH Cert Authority so I can centralize new key setup rather than modifying the authorized keys on each of my machines. I found something really odd - the keys that I develop work only if the user keys are RSA style keys and will fail with ED25519 style keys. I tested and the failure happens depending on the user key type, so RSA user keys can be signed by both RSA and ED25519 style CA keys but then surprisingly a ED25519 key CA can signs RSA keys which work but when the same CA is used to sign ED25519 keys, the resulting key will not work. `ssh-keygen -t ed25519 -f userkey ssh-keygen -s my-ssh-ca-private-key -I some-identifier userkey.pub cat userkey userkey-cert.pub > key_with_cert` When I take the key_with_cert file to the new computer; it works if and only if I remove the "*-t ed25519*". The output from ssh -vv -i key_with_cert user@example.com: RSA style key that works https://f000.backblazeb2.com/file/backblaze-b2-public/debug_output_rsa ED255519 style key using "*-t ed25519*" that fails https://f000.backblazeb2.com/file/backblaze-b2-public/debug_output_ed25519 Any ideas on why the key type is causing a problem? ED25519 has been around for a while so I expect similar handling between RSA and ECC keys.

I want to install a client certificate to the Ubuntu's certificate store, so that the user can login using the client certificate from browser (rather than with a username and password). I am writing a bash script for the same. Which command can I use to do that? I am aware that Firefox handles the certificates differently and I need commands / automated way to handle that also.