A lot of [SSL certificate problem: certificate has expired] when running "dnf update"

markk · March 24, 2022, 11:41pm

[marco@t420-tovis ~]$>ls -l /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-r--r--r--. 1 root root 221037 20 mar 23.21 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

…nothing…

[marco@t420-tovis ~]$>rpm -Va \*curl\*
[marco@t420-tovis ~]$>

Done (with chattr instead of chmod); let’s see…

[marco@t420-tovis ~]$>sudo chattr +i  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
[sudo] password for marco: 
[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>lsattr  /etc/pki/ca-trust/extracted/pem/
----i---------e------- /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
--------------e------- /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
--------------e------- /etc/pki/ca-trust/extracted/pem/README
--------------e------- /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
--------------e------- /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.sav
[marco@t420-tovis ~]$>

ankursinha · March 25, 2022, 6:17am

OK, and what about the ca-certificates package which includes these files:

$ rpm -qf /etc/pki/ca-trust/
ca-certificates-2021.2.52-3.fc36.noarch

$ rpm -Va \*ca-certificates\*

We’re just trying to see if these files are different from what the Fedora package provides given that you’ve noted that they’ve been changed/corrupted. If they are, we need to see what is modifying them.

markk · March 25, 2022, 7:15am

Here you go:

[marco@t420-tovis ~]$>rpm -qf /etc/pki/ca-trust/
ca-certificates-2021.2.52-1.0.fc35.noarch
[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>rpm -Va \*ca-certificates\*
[marco@t420-tovis ~]$>

ankursinha · March 25, 2022, 8:33am

In that case these files are as they should be, at least at this point in time but I guess that is expected if you’ve fixed your issue recently. It’ll be good to run these checks again when you think they’ve been changed so we can try to figure out what’s changing them.

Other checks:

that this package is from the Fedora repos and that no third party repo is providing it and thus overwriting files on an update:

sudo dnf list \*ca-certificates\*
Installed Packages
ca-certificates.noarch                                             2021.2.52-3.fc36                                              @fedora

It should only return a package from Fedora for you too

that there isn’t another package (not ca-certificates) that is also providing these files. On my F36 where I’m not seeing these issues, these are the only packages that touch the files in the folder:

$ sudo dnf whatprovides '/etc/pki/ca-trust/*'
ca-certificates-2021.2.52-3.fc36.noarch : The Mozilla CA root certificate bundle
Repo        : @System
Matched from:
Filename    : /etc/pki/ca-trust/README
Filename    : /etc/pki/ca-trust/ca-legacy.conf
Filename    : /etc/pki/ca-trust/extracted
Filename    : /etc/pki/ca-trust/extracted/README
Filename    : /etc/pki/ca-trust/extracted/edk2/README
Filename    : /etc/pki/ca-trust/extracted/edk2/cacerts.bin
Filename    : /etc/pki/ca-trust/extracted/java
Filename    : /etc/pki/ca-trust/extracted/java/README
Filename    : /etc/pki/ca-trust/extracted/java/cacerts
Filename    : /etc/pki/ca-trust/extracted/openssl
Filename    : /etc/pki/ca-trust/extracted/openssl/README
Filename    : /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Filename    : /etc/pki/ca-trust/extracted/pem
Filename    : /etc/pki/ca-trust/extracted/pem/README
Filename    : /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Filename    : /etc/pki/ca-trust/source
Filename    : /etc/pki/ca-trust/source/README
Filename    : /etc/pki/ca-trust/source/anchors
Filename    : /etc/pki/ca-trust/source/blacklist
Filename    : /etc/pki/ca-trust/source/blocklist
Filename    : /etc/pki/ca-trust/source/ca-bundle.legacy.crt

ca-certificates-2021.2.52-3.fc36.noarch : The Mozilla CA root certificate bundle
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/README
Filename    : /etc/pki/ca-trust/ca-legacy.conf
Filename    : /etc/pki/ca-trust/extracted
Filename    : /etc/pki/ca-trust/extracted/README
Filename    : /etc/pki/ca-trust/extracted/edk2/README
Filename    : /etc/pki/ca-trust/extracted/edk2/cacerts.bin
Filename    : /etc/pki/ca-trust/extracted/java
Filename    : /etc/pki/ca-trust/extracted/java/README
Filename    : /etc/pki/ca-trust/extracted/java/cacerts
Filename    : /etc/pki/ca-trust/extracted/openssl
Filename    : /etc/pki/ca-trust/extracted/openssl/README
Filename    : /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Filename    : /etc/pki/ca-trust/extracted/pem
Filename    : /etc/pki/ca-trust/extracted/pem/README
Filename    : /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Filename    : /etc/pki/ca-trust/source
Filename    : /etc/pki/ca-trust/source/README
Filename    : /etc/pki/ca-trust/source/anchors
Filename    : /etc/pki/ca-trust/source/blacklist
Filename    : /etc/pki/ca-trust/source/blocklist
Filename    : /etc/pki/ca-trust/source/ca-bundle.legacy.crt

freeipa-client-common-4.9.8-3.fc36.noarch : Common files used by IPA client
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/source/ipa.p11-kit

tog-pegasus-2:2.14.1-65.fc36.x86_64 : OpenPegasus WBEM Services for Linux
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem

markk · March 25, 2022, 10:21am

OK; so I guess the “immutable” flag must be removed (see @kpfleming posts).
These are the checks results:

[marco@t420-tovis ~]$>sudo dnf list \*ca-certificates\*
Last metadata expiration check: 1:05:34 ago on ven 25 mar 2022, 09:57:28.
Installed Packages
ca-certificates.noarch           2021.2.52-1.0.fc35                    @updates

[marco@t420-tovis ~]$>sudo dnf whatprovides '/etc/pki/ca-trust/*'
[sudo] password for marco: 
Last metadata expiration check: 1:02:34 ago on ven 25 mar 2022, 09:57:28.
ca-certificates-2021.2.50-3.fc35.noarch : The Mozilla CA root certificate bundle
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/README
Filename    : /etc/pki/ca-trust/ca-legacy.conf
Filename    : /etc/pki/ca-trust/extracted
Filename    : /etc/pki/ca-trust/extracted/README
Filename    : /etc/pki/ca-trust/extracted/edk2/README
Filename    : /etc/pki/ca-trust/extracted/edk2/cacerts.bin
Filename    : /etc/pki/ca-trust/extracted/java
Filename    : /etc/pki/ca-trust/extracted/java/README
Filename    : /etc/pki/ca-trust/extracted/java/cacerts
Filename    : /etc/pki/ca-trust/extracted/openssl
Filename    : /etc/pki/ca-trust/extracted/openssl/README
Filename    : /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Filename    : /etc/pki/ca-trust/extracted/pem
Filename    : /etc/pki/ca-trust/extracted/pem/README
Filename    : /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Filename    : /etc/pki/ca-trust/source
Filename    : /etc/pki/ca-trust/source/README
Filename    : /etc/pki/ca-trust/source/anchors
Filename    : /etc/pki/ca-trust/source/blacklist
Filename    : /etc/pki/ca-trust/source/blocklist
Filename    : /etc/pki/ca-trust/source/ca-bundle.legacy.crt

ca-certificates-2021.2.52-1.0.fc35.noarch : The Mozilla CA root certificate bundle
Repo        : @System
Matched from:
Filename    : /etc/pki/ca-trust/README
Filename    : /etc/pki/ca-trust/ca-legacy.conf
Filename    : /etc/pki/ca-trust/extracted
Filename    : /etc/pki/ca-trust/extracted/README
Filename    : /etc/pki/ca-trust/extracted/edk2/README
Filename    : /etc/pki/ca-trust/extracted/edk2/cacerts.bin
Filename    : /etc/pki/ca-trust/extracted/java
Filename    : /etc/pki/ca-trust/extracted/java/README
Filename    : /etc/pki/ca-trust/extracted/java/cacerts
Filename    : /etc/pki/ca-trust/extracted/openssl
Filename    : /etc/pki/ca-trust/extracted/openssl/README
Filename    : /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Filename    : /etc/pki/ca-trust/extracted/pem
Filename    : /etc/pki/ca-trust/extracted/pem/README
Filename    : /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Filename    : /etc/pki/ca-trust/source
Filename    : /etc/pki/ca-trust/source/README
Filename    : /etc/pki/ca-trust/source/anchors
Filename    : /etc/pki/ca-trust/source/blacklist
Filename    : /etc/pki/ca-trust/source/blocklist
Filename    : /etc/pki/ca-trust/source/ca-bundle.legacy.crt

ca-certificates-2021.2.52-1.0.fc35.noarch : The Mozilla CA root certificate bundle
Repo        : updates
Matched from:
Filename    : /etc/pki/ca-trust/README
Filename    : /etc/pki/ca-trust/ca-legacy.conf
Filename    : /etc/pki/ca-trust/extracted
Filename    : /etc/pki/ca-trust/extracted/README
Filename    : /etc/pki/ca-trust/extracted/edk2/README
Filename    : /etc/pki/ca-trust/extracted/edk2/cacerts.bin
Filename    : /etc/pki/ca-trust/extracted/java
Filename    : /etc/pki/ca-trust/extracted/java/README
Filename    : /etc/pki/ca-trust/extracted/java/cacerts
Filename    : /etc/pki/ca-trust/extracted/openssl
Filename    : /etc/pki/ca-trust/extracted/openssl/README
Filename    : /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Filename    : /etc/pki/ca-trust/extracted/pem
Filename    : /etc/pki/ca-trust/extracted/pem/README
Filename    : /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
Filename    : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Filename    : /etc/pki/ca-trust/source
Filename    : /etc/pki/ca-trust/source/README
Filename    : /etc/pki/ca-trust/source/anchors
Filename    : /etc/pki/ca-trust/source/blacklist
Filename    : /etc/pki/ca-trust/source/blocklist
Filename    : /etc/pki/ca-trust/source/ca-bundle.legacy.crt

freeipa-client-common-4.9.7-2.fc35.noarch : Common files used by IPA client
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/source/ipa.p11-kit

freeipa-client-common-4.9.8-1.fc35.noarch : Common files used by IPA client
Repo        : updates
Matched from:
Filename    : /etc/pki/ca-trust/source/ipa.p11-kit

tog-pegasus-2:2.14.1-61.fc35.x86_64 : OpenPegasus WBEM Services for Linux
Repo        : fedora
Matched from:
Filename    : /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem

ankursinha · March 25, 2022, 10:40am

This all looks good, so everything is as it should be. If/when you run into issues again, we should be able to track down what causes it.