# problem with certificates?

## petr2008

I have found following (possibly related problems) on my fresh gentoo

install:

```
emerge --sync

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...

 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc

 * Refreshing keys via WKD ...                                           [ !! ]

 * Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring refresh failed:

gpg: refreshing 4 keys from hkps://keys.gentoo.org

gpg: keyserver refresh failed: General error

OpenPGP keyring refresh failed:

gpg: refreshing 4 keys from hkps://keys.gentoo.org

gpg: keyserver refresh failed: General error

OpenPGP keyring refresh failed:

gpg: refreshing 4 keys from hkps://keys.gentoo.org

gpg: keyserver refresh failed: General error

OpenPGP keyring refresh failed:

gpg: refreshing 4 keys from hkps://keys.gentoo.org

gpg: keyserver refresh failed: General error

^C

```

```
xfce4-weather-update

tail -f .xsession-errors

(wrapper-2.0:6185): weather-WARNING **: 07:11:08.366: Download of astronomical data failed with HTTP Status Code 6, Reason phrase: Unacceptable TLS certificate

(wrapper-2.0:6185): weather-WARNING **: 07:11:08.372: Download of weather data failed with HTTP Status Code 6, Reason phrase: Unacceptable TLS certificate

weather-Message: 07:11:18.246: getting https://api.met.no/weatherapi/sunrise/2.0/?lat=50.173302&lon=14.376300&date=2019-08-11&offset=+02:00&days=5

weather-Message: 07:11:18.247: getting https://api.met.no/weatherapi/locationforecastlts/1.3/?lat=50.173302&lon=14.376300&msl=0

(wrapper-2.0:6185): weather-WARNING **: 07:11:18.361: Download of astronomical data failed with HTTP Status Code 6, Reason phrase: Unacceptable TLS certificate

(wrapper-2.0:6185): weather-WARNING **: 07:11:18.369: Download of weather data failed with HTTP Status Code 6, Reason phrase: Unacceptable TLS certificate

```

```
fwupdmgr refresh

Fetching metadata https://cdn.fwupd.org/downloads/firmware.xml.gz

(fwupdmgr:6658): GLib-Net-WARNING **: 07:14:40.443: couldn't load TLS file database: Failed to load system trust store: GnuTLS was not configured with a system trust

Failed to download https://cdn.fwupd.org/downloads/firmware.xml.gz: SSL handshake failed

```

Any hint? Thank you.

[Moderator edit: added [code] tags to preserve output layout. -Hu]

----------

## mike155

 *Quote:*   

> gpg: keyserver refresh failed: General error 

 

Developers recently added a feature called 'tree verification'. It doesn't work well and many users report problems.

My suggestion: disable that feature: https://forums.gentoo.org/viewtopic-p-8358476.html#8358476

Other users recommend other solutions, see: https://forums.gentoo.org/viewtopic-t-1100202-start-0.html

 *Quote:*   

> (wrapper-2.0:6185): weather-WARNING **: 07:11:08.366: Download of astronomical data failed with HTTP Status Code 6, Reason phrase: Unacceptable TLS certificate 

 

 *Quote:*   

> (fwupdmgr:6658): GLib-Net-WARNING **: 07:14:40.443: couldn't load TLS file database: Failed to load system trust store: GnuTLS was not configured with a system trust 

 

Those problems are probably not related to the first problem. Most probably, a USE flag is missing. Please show us the output of

```
emerge --info
```

```
emerge -pv wget
```

```
emerge -pv curl
```

```
emerge -pv gnutls
```

----------

## petr2008

emerge --info

```
Portage 2.3.69 (python 3.6.5-final-0, default/linux/amd64/17.1, gcc-8.3.0, glibc-2.29-r2, 4.19.57-gentoo x86_64)

=================================================================

System uname: Linux-4.19.57-gentoo-x86_64-Intel-R-_Core-TM-_i7-8650U_CPU_@_1.90GHz-with-gentoo-2.6

KiB Mem:    16301652 total,  14179384 free

KiB Swap:          0 total,         0 free

Timestamp of repository gentoo: Sun, 11 Aug 2019 00:45:01 +0000

Head commit of repository gentoo: d5f4b4508cef4389a04b009938addd62d50cfd29

sh bash 4.4_p23-r1

ld GNU ld (Gentoo 2.32 p2) 2.32.0

distcc[18453] (dcc_trace_version) distcc 3.3.2 x86_64-pc-linux-gnu; built Jul 31 2019 17:37:02 [disabled]

ccache version 3.7.1 [enabled]

app-shells/bash:          4.4_p23-r1::gentoo

dev-java/java-config:     2.2.0-r4::gentoo

dev-lang/perl:            5.28.2-r1::gentoo

dev-lang/python:          2.7.15::gentoo, 3.6.5::gentoo

dev-util/ccache:          3.7.1::gentoo

dev-util/cmake:           3.14.6::gentoo

sys-apps/baselayout:      2.6-r1::gentoo

sys-apps/openrc:          0.41.2::gentoo

sys-apps/sandbox:         2.13::gentoo

sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r4::gentoo

sys-devel/automake:       1.16.1-r1::gentoo

sys-devel/binutils:       2.32-r1::gentoo

sys-devel/gcc:            8.3.0-r1::gentoo

sys-devel/gcc-config:     2.0::gentoo

sys-devel/libtool:        2.4.6-r3::gentoo

sys-devel/make:           4.2.1-r4::gentoo

sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers)

sys-libs/glibc:           2.29-r2::gentoo

Repositories:

gentoo

    location: /var/db/repos/gentoo

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

    sync-rsync-verify-metamanifest: yes

    sync-rsync-extra-opts:

    sync-rsync-verify-max-age: 24

    sync-rsync-verify-jobs: 1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="@FREE"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=skylake -mabm -mrtm  -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"

CXXFLAGS="-march=skylake -mabm -mrtm  -O2 -pipe"

DISTDIR="/var/cache/distfiles"

ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"

FCFLAGS="-march=skylake -mabm -mrtm  -O2 -pipe"

FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-march=skylake -mabm -mrtm  -O2 -pipe"

GENTOO_MIRRORS="http://distfiles.gentoo.org"

LANG="en_US.utf8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j8"

PKGDIR="/var/cache/binpkgs"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="X a52 acl acpi agent alsa alsa-plugin amd64 apng bdf berkdb bluetooth bzip2 cairo cli consolekit contrib corefonts crypt cups cxx dbus dell djvu dri dts emacs ffmpeg fontconfig fortran gdbm gfortran gif glib gpg graphviz gtk gtk3 gui iconv icu idn idna introspection ipv6 jpeg json lapack libtirpc lm_sensors multilib ncurses nls nptl opengl openmp pam pango pcre pcre16 png postscript postsript pulseaudio python qt5 readline redistributable rendering savedconfig scsi seccomp sensord spamassasin spell split-usr sqlite ssh ssl svg tcl tcpd text tiff tk truetype udev uefi unicode unknown-license widgets wmf xattr xetex zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en cs ru fr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="intel i965 i915" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

emerge -pv wget

```
These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-misc/wget-1.20.3-r1::gentoo  USE="idn ipv6 nls pcre ssl zlib -debug -gnutls -libressl -ntlm -static -test -uuid" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

```

emerge -pv curl

```
These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-misc/curl-7.65.0::gentoo  USE="idn ipv6 ssh ssl -adns -brotli -http2 -kerberos -ldap -metalink -rtmp -samba -static-libs -test -threads" ABI_X86="(64) -32 (-x32)" CURL_SSL="openssl -gnutls -libressl -mbedtls -nss (-winssl)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

```

emerge -pv gnutls

```

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] net-libs/gnutls-3.6.7:0/30::gentoo  USE="cxx idn nls openssl seccomp tls-heartbeat -dane -doc -examples -guile -pkcs11 -sslv2 -sslv3 -static-libs -test (-test-full) -tools -valgrind" ABI_X86="(64) -32 (-x32)" 7,963 KiB

Total: 1 package (1 reinstall), Size of downloads: 7,963 KiB
```

[Moderator edit: added [code] tags to preserve output layout, again. -Hu]

----------

## mike155

Thanks for the data.

Output of 'emerge --info' looks good. USE flag 'ssl' is there. Everything seems to be okay.

I'm sorry - I don't know what to do.

----------

## petr2008

I added cacert use flag and reemerge with --newuse.

It works now !

Concerning emerge --sync, I will stay with emerge-webrsync.

Thank you.

----------

