* [Buildroot] libcurl ignores default buildroot CA bundle @ 2022-06-04 16:43 Dimi Tomov 2022-06-04 18:16 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-04 16:43 UTC (permalink / raw) To: buildroot Hello Buildroot community, I have a STM32MP1 target and my buildroot image has both the curl and ca-certificates package installed. However, curl fails to authenticate any https requests: # curl https://google.com curl: (77) CA signer not available for verification Do I need to do some extra buildroot configuration for libcurl to use the CA bundle in /etc/ssl/certs? Thanks, Dimi Tomov -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-04 16:43 [Buildroot] libcurl ignores default buildroot CA bundle Dimi Tomov @ 2022-06-04 18:16 ` Dimi Tomov 2022-06-05 7:24 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-04 18:16 UTC (permalink / raw) To: Baruch Siach; +Cc: Buildroot Hello Baruch, I may have found an issue with the libcurl package. The libcurl.mk file lacks CA path when built with wolfssl instead of openssl. ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr LIBCURL_DEPENDENCIES += wolfssl else LIBCURL_CONF_OPTS += --without-wolfssl endif I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs in the above if case and rebuild, but this did not solve the issue. Could you please take a look? Thanks, Dimi On 2022-06-04 07:43 PM, Dimi Tomov wrote: > Hello Buildroot community, > > I have a STM32MP1 target and my buildroot image has both the curl and > ca-certificates package installed. However, curl fails to authenticate > any https requests: > > > # curl https://google.com > > curl: (77) CA signer not available for verification > > > Do I need to do some extra buildroot configuration for libcurl to use > the CA bundle in /etc/ssl/certs? > > Thanks, > > Dimi Tomov > -- > Founder of TPM.dev > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-04 18:16 ` Dimi Tomov @ 2022-06-05 7:24 ` Dimi Tomov 2022-06-05 8:16 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-05 7:24 UTC (permalink / raw) To: Baruch Siach, Martin Bark; +Cc: Buildroot Hell Martin and Baruch, Issue persist after building my buildroot image with libcurl and openssl as a cryptographic provider, ca-certificates package installed properly and in default location. Error message only changed a bit: # curl https://google.com curl: (60) SSL certificate problem: certificate is not yet valid More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ^the above page mentions that a CA bundle is missing. However, /etc/ssl/certs is deployed properly by the buildroot make and sdcard image. Any ideas? Thanks, Dimi -- Founder of TPM.dev On 2022-06-04 09:16 PM, Dimi Tomov wrote: > Hello Baruch, > > I may have found an issue with the libcurl package. > > The libcurl.mk file lacks CA path when built with wolfssl instead of > openssl. > > ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) > LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr > LIBCURL_DEPENDENCIES += wolfssl > else > LIBCURL_CONF_OPTS += --without-wolfssl > endif > > I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs in > the above if case and rebuild, but this did not solve the issue. Could > you please take a look? > > Thanks, > > Dimi > > On 2022-06-04 07:43 PM, Dimi Tomov wrote: >> Hello Buildroot community, >> >> I have a STM32MP1 target and my buildroot image has both the curl and >> ca-certificates package installed. However, curl fails to authenticate >> any https requests: >> >> >> # curl https://google.com >> >> curl: (77) CA signer not available for verification >> >> >> Do I need to do some extra buildroot configuration for libcurl to use >> the CA bundle in /etc/ssl/certs? >> >> Thanks, >> >> Dimi Tomov >> -- >> Founder of TPM.dev >> _______________________________________________ >> buildroot mailing list >> buildroot@buildroot.org >> https://lists.buildroot.org/mailman/listinfo/buildroot _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-05 7:24 ` Dimi Tomov @ 2022-06-05 8:16 ` Dimi Tomov 2022-06-05 8:32 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-05 8:16 UTC (permalink / raw) To: Baruch Siach, Martin Bark; +Cc: Buildroot I forgot to mention that I have updated the system clock using data & hwclock -wu and the issue with libcurl and ca-certificates packages persists. On 2022-06-05 10:24 AM, Dimi Tomov wrote: > Hell Martin and Baruch, > > Issue persist after building my buildroot image with libcurl and > openssl as a cryptographic provider, ca-certificates package installed > properly and in default location. Error message only changed a bit: > > # curl https://google.com > curl: (60) SSL certificate problem: certificate is not yet valid > More details here: https://curl.se/docs/sslcerts.html > > curl failed to verify the legitimacy of the server and therefore could > not > establish a secure connection to it. To learn more about this situation > and > how to fix it, please visit the web page mentioned above. > > ^the above page mentions that a CA bundle is missing. > > However, /etc/ssl/certs is deployed properly by the buildroot make and > sdcard image. > > Any ideas? > > Thanks, > > Dimi > > -- > Founder of TPM.dev > > On 2022-06-04 09:16 PM, Dimi Tomov wrote: >> Hello Baruch, >> >> I may have found an issue with the libcurl package. >> >> The libcurl.mk file lacks CA path when built with wolfssl instead of >> openssl. >> >> ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) >> LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr >> LIBCURL_DEPENDENCIES += wolfssl >> else >> LIBCURL_CONF_OPTS += --without-wolfssl >> endif >> >> I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs in >> the above if case and rebuild, but this did not solve the issue. Could >> you please take a look? >> >> Thanks, >> >> Dimi >> >> On 2022-06-04 07:43 PM, Dimi Tomov wrote: >>> Hello Buildroot community, >>> >>> I have a STM32MP1 target and my buildroot image has both the curl and >>> ca-certificates package installed. However, curl fails to >>> authenticate >>> any https requests: >>> >>> >>> # curl https://google.com >>> >>> curl: (77) CA signer not available for verification >>> >>> >>> Do I need to do some extra buildroot configuration for libcurl to use >>> the CA bundle in /etc/ssl/certs? >>> >>> Thanks, >>> >>> Dimi Tomov >>> -- >>> Founder of TPM.dev >>> _______________________________________________ >>> buildroot mailing list >>> buildroot@buildroot.org >>> https://lists.buildroot.org/mailman/listinfo/buildroot > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-05 8:16 ` Dimi Tomov @ 2022-06-05 8:32 ` Dimi Tomov 2022-06-05 10:04 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-05 8:32 UTC (permalink / raw) To: Baruch Siach, Martin Bark; +Cc: Buildroot I think I found another issue: $make libcurl-reconfigure does not change the cryptopgrahic provider for curl. I change the option using make menuconfig and I see it reflected in my buildroot config. ps: about curl w/ openssl, my board had its date set to May instead of June and this was the issue. Thanks, Dimi On 2022-06-05 11:16 AM, Dimi Tomov wrote: > I forgot to mention that I have updated the system clock using data & > hwclock -wu and the issue with libcurl and ca-certificates packages > persists. > > On 2022-06-05 10:24 AM, Dimi Tomov wrote: >> Hell Martin and Baruch, >> >> Issue persist after building my buildroot image with libcurl and >> openssl as a cryptographic provider, ca-certificates package installed >> properly and in default location. Error message only changed a bit: >> >> # curl https://google.com >> curl: (60) SSL certificate problem: certificate is not yet valid >> More details here: https://curl.se/docs/sslcerts.html >> >> curl failed to verify the legitimacy of the server and therefore could >> not >> establish a secure connection to it. To learn more about this >> situation and >> how to fix it, please visit the web page mentioned above. >> >> ^the above page mentions that a CA bundle is missing. >> >> However, /etc/ssl/certs is deployed properly by the buildroot make and >> sdcard image. >> >> Any ideas? >> >> Thanks, >> >> Dimi >> >> -- >> Founder of TPM.dev >> >> On 2022-06-04 09:16 PM, Dimi Tomov wrote: >>> Hello Baruch, >>> >>> I may have found an issue with the libcurl package. >>> >>> The libcurl.mk file lacks CA path when built with wolfssl instead of >>> openssl. >>> >>> ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) >>> LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr >>> LIBCURL_DEPENDENCIES += wolfssl >>> else >>> LIBCURL_CONF_OPTS += --without-wolfssl >>> endif >>> >>> I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs in >>> the above if case and rebuild, but this did not solve the issue. >>> Could >>> you please take a look? >>> >>> Thanks, >>> >>> Dimi >>> >>> On 2022-06-04 07:43 PM, Dimi Tomov wrote: >>>> Hello Buildroot community, >>>> >>>> I have a STM32MP1 target and my buildroot image has both the curl >>>> and >>>> ca-certificates package installed. However, curl fails to >>>> authenticate >>>> any https requests: >>>> >>>> >>>> # curl https://google.com >>>> >>>> curl: (77) CA signer not available for verification >>>> >>>> >>>> Do I need to do some extra buildroot configuration for libcurl to >>>> use >>>> the CA bundle in /etc/ssl/certs? >>>> >>>> Thanks, >>>> >>>> Dimi Tomov >>>> -- >>>> Founder of TPM.dev >>>> _______________________________________________ >>>> buildroot mailing list >>>> buildroot@buildroot.org >>>> https://lists.buildroot.org/mailman/listinfo/buildroot >> _______________________________________________ >> buildroot mailing list >> buildroot@buildroot.org >> https://lists.buildroot.org/mailman/listinfo/buildroot -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-05 8:32 ` Dimi Tomov @ 2022-06-05 10:04 ` Dimi Tomov 2022-06-05 12:49 ` Dimi Tomov 0 siblings, 1 reply; 7+ messages in thread From: Dimi Tomov @ 2022-06-05 10:04 UTC (permalink / raw) To: Baruch Siach, Martin Bark; +Cc: Buildroot make libcurl-dirclean forced a rebuild with wolfssl as the crypto backend, however --with-ca-path does not work. Error below: checking default CA cert bundle/path... configure: error: --with-ca-path only works with OpenSSL, GnuTLS or mbedTLS How to enable buildroot CA bundle for libcurl when using wolfssl? Thanks, Dimi On 2022-06-05 11:32 AM, Dimi Tomov wrote: > I think I found another issue: > > $make libcurl-reconfigure does not change the cryptopgrahic provider > for curl. > > I change the option using make menuconfig and I see it reflected in my > buildroot config. > > ps: about curl w/ openssl, my board had its date set to May instead of > June and this was the issue. > > Thanks, > > Dimi > > On 2022-06-05 11:16 AM, Dimi Tomov wrote: >> I forgot to mention that I have updated the system clock using data & >> hwclock -wu and the issue with libcurl and ca-certificates packages >> persists. >> >> On 2022-06-05 10:24 AM, Dimi Tomov wrote: >>> Hell Martin and Baruch, >>> >>> Issue persist after building my buildroot image with libcurl and >>> openssl as a cryptographic provider, ca-certificates package >>> installed >>> properly and in default location. Error message only changed a bit: >>> >>> # curl https://google.com >>> curl: (60) SSL certificate problem: certificate is not yet valid >>> More details here: https://curl.se/docs/sslcerts.html >>> >>> curl failed to verify the legitimacy of the server and therefore >>> could not >>> establish a secure connection to it. To learn more about this >>> situation and >>> how to fix it, please visit the web page mentioned above. >>> >>> ^the above page mentions that a CA bundle is missing. >>> >>> However, /etc/ssl/certs is deployed properly by the buildroot make >>> and >>> sdcard image. >>> >>> Any ideas? >>> >>> Thanks, >>> >>> Dimi >>> >>> -- >>> Founder of TPM.dev >>> >>> On 2022-06-04 09:16 PM, Dimi Tomov wrote: >>>> Hello Baruch, >>>> >>>> I may have found an issue with the libcurl package. >>>> >>>> The libcurl.mk file lacks CA path when built with wolfssl instead of >>>> openssl. >>>> >>>> ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) >>>> LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr >>>> LIBCURL_DEPENDENCIES += wolfssl >>>> else >>>> LIBCURL_CONF_OPTS += --without-wolfssl >>>> endif >>>> >>>> I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs in >>>> the above if case and rebuild, but this did not solve the issue. >>>> Could >>>> you please take a look? >>>> >>>> Thanks, >>>> >>>> Dimi >>>> >>>> On 2022-06-04 07:43 PM, Dimi Tomov wrote: >>>>> Hello Buildroot community, >>>>> >>>>> I have a STM32MP1 target and my buildroot image has both the curl >>>>> and >>>>> ca-certificates package installed. However, curl fails to >>>>> authenticate >>>>> any https requests: >>>>> >>>>> >>>>> # curl https://google.com >>>>> >>>>> curl: (77) CA signer not available for verification >>>>> >>>>> >>>>> Do I need to do some extra buildroot configuration for libcurl to >>>>> use >>>>> the CA bundle in /etc/ssl/certs? >>>>> >>>>> Thanks, >>>>> >>>>> Dimi Tomov >>>>> -- >>>>> Founder of TPM.dev >>>>> _______________________________________________ >>>>> buildroot mailing list >>>>> buildroot@buildroot.org >>>>> https://lists.buildroot.org/mailman/listinfo/buildroot >>> _______________________________________________ >>> buildroot mailing list >>> buildroot@buildroot.org >>> https://lists.buildroot.org/mailman/listinfo/buildroot -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] libcurl ignores default buildroot CA bundle 2022-06-05 10:04 ` Dimi Tomov @ 2022-06-05 12:49 ` Dimi Tomov 0 siblings, 0 replies; 7+ messages in thread From: Dimi Tomov @ 2022-06-05 12:49 UTC (permalink / raw) To: Baruch Siach, Martin Bark; +Cc: Buildroot Hi Baruch, Please review the patch that fixes this - https://lists.buildroot.org/pipermail/buildroot/2022-June/644127.html Thanks, Dimi On 2022-06-05 01:04 PM, Dimi Tomov wrote: > make libcurl-dirclean forced a rebuild with wolfssl as the crypto > backend, however --with-ca-path does not work. Error below: > > checking default CA cert bundle/path... configure: error: > --with-ca-path only works with OpenSSL, GnuTLS or mbedTLS > > How to enable buildroot CA bundle for libcurl when using wolfssl? > > Thanks, > Dimi > > > On 2022-06-05 11:32 AM, Dimi Tomov wrote: >> I think I found another issue: >> >> $make libcurl-reconfigure does not change the cryptopgrahic provider >> for curl. >> >> I change the option using make menuconfig and I see it reflected in my >> buildroot config. >> >> ps: about curl w/ openssl, my board had its date set to May instead of >> June and this was the issue. >> >> Thanks, >> >> Dimi >> >> On 2022-06-05 11:16 AM, Dimi Tomov wrote: >>> I forgot to mention that I have updated the system clock using data & >>> hwclock -wu and the issue with libcurl and ca-certificates packages >>> persists. >>> >>> On 2022-06-05 10:24 AM, Dimi Tomov wrote: >>>> Hell Martin and Baruch, >>>> >>>> Issue persist after building my buildroot image with libcurl and >>>> openssl as a cryptographic provider, ca-certificates package >>>> installed >>>> properly and in default location. Error message only changed a bit: >>>> >>>> # curl https://google.com >>>> curl: (60) SSL certificate problem: certificate is not yet valid >>>> More details here: https://curl.se/docs/sslcerts.html >>>> >>>> curl failed to verify the legitimacy of the server and therefore >>>> could not >>>> establish a secure connection to it. To learn more about this >>>> situation and >>>> how to fix it, please visit the web page mentioned above. >>>> >>>> ^the above page mentions that a CA bundle is missing. >>>> >>>> However, /etc/ssl/certs is deployed properly by the buildroot make >>>> and >>>> sdcard image. >>>> >>>> Any ideas? >>>> >>>> Thanks, >>>> >>>> Dimi >>>> >>>> -- >>>> Founder of TPM.dev >>>> >>>> On 2022-06-04 09:16 PM, Dimi Tomov wrote: >>>>> Hello Baruch, >>>>> >>>>> I may have found an issue with the libcurl package. >>>>> >>>>> The libcurl.mk file lacks CA path when built with wolfssl instead >>>>> of openssl. >>>>> >>>>> ifeq ($(BR2_PACKAGE_LIBCURL_WOLFSSL),y) >>>>> LIBCURL_CONF_OPTS += --with-wolfssl=$(STAGING_DIR)/usr >>>>> LIBCURL_DEPENDENCIES += wolfssl >>>>> else >>>>> LIBCURL_CONF_OPTS += --without-wolfssl >>>>> endif >>>>> >>>>> I tried adding LIBCURL_CONF_OPTS += --with-ca-path=/etc/ssl/certs >>>>> in >>>>> the above if case and rebuild, but this did not solve the issue. >>>>> Could >>>>> you please take a look? >>>>> >>>>> Thanks, >>>>> >>>>> Dimi >>>>> >>>>> On 2022-06-04 07:43 PM, Dimi Tomov wrote: >>>>>> Hello Buildroot community, >>>>>> >>>>>> I have a STM32MP1 target and my buildroot image has both the curl >>>>>> and >>>>>> ca-certificates package installed. However, curl fails to >>>>>> authenticate >>>>>> any https requests: >>>>>> >>>>>> >>>>>> # curl https://google.com >>>>>> >>>>>> curl: (77) CA signer not available for verification >>>>>> >>>>>> >>>>>> Do I need to do some extra buildroot configuration for libcurl to >>>>>> use >>>>>> the CA bundle in /etc/ssl/certs? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dimi Tomov >>>>>> -- >>>>>> Founder of TPM.dev >>>>>> _______________________________________________ >>>>>> buildroot mailing list >>>>>> buildroot@buildroot.org >>>>>> https://lists.buildroot.org/mailman/listinfo/buildroot >>>> _______________________________________________ >>>> buildroot mailing list >>>> buildroot@buildroot.org >>>> https://lists.buildroot.org/mailman/listinfo/buildroot -- Founder of TPM.dev _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-06-05 12:50 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-06-04 16:43 [Buildroot] libcurl ignores default buildroot CA bundle Dimi Tomov 2022-06-04 18:16 ` Dimi Tomov 2022-06-05 7:24 ` Dimi Tomov 2022-06-05 8:16 ` Dimi Tomov 2022-06-05 8:32 ` Dimi Tomov 2022-06-05 10:04 ` Dimi Tomov 2022-06-05 12:49 ` Dimi Tomov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox