# https problem after updating system

## Ramis

Hi!

After updating world, I cannot open local tomcat sites by https. Http works.

I think the problems is due to certificates.

I tried several browsers: firefox, vivaldi, chrome.

Then I tried to repair the system by this topic: https://forums.gentoo.org/viewtopic-t-812705-start-0.html,

but there is no cacert.org.pem in my system.

Also I tried to re-emerge with new USE flag cacert, and result is the same.

How can I repair certificates in my system?

Thanks.

----------

## tryn

Hi Ramis.

 You might try to rebuild these two items.

app-misc/ca-certificates

dev-libs/openssl 

I ran this 

```
equery b certs
```

Which gave the two items above so you might try that.

----------

## Markus09

Do you get no return from the server or some error message?

You could try in console with:

```
openssl s_client -connect yourTomcatHostname:443

GET / HTTP/1.1

Host: yourTomcatHostname
```

to get more info about whats going wrong.

(Note: you have to press "Return" twice at the end)

----------

## Ramis

 *tryn wrote:*   

> Hi Ramis.
> 
>  You might try to rebuild these two items.
> 
> app-misc/ca-certificates
> ...

 

Hi, tryn!

Thank you for reply.

I tried 

```
equery b certs
```

 and it gives me

```
app-misc/ca-certificates-20161102.3.27.2-r2 (/etc/ssl/certs)

dev-libs/openssl-1.0.2j (/etc/ssl/certs)

sys-kernel/gentoo-sources-4.4.39 (/usr/src/linux-4.4.39-gentoo/certs)
```

Then I updated 

```
 emerge -av ca-certificates openssl gentoo-sources
```

```
These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] app-misc/ca-certificates-20161102.3.27.2-r2::gentoo  USE="cacert -insecure_certs" 7 539 KiB

[ebuild  NS    ] dev-libs/openssl-0.9.8z_p8:0.9.8::gentoo [1.0.2j:0::gentoo] USE="bindist zlib -gmp -kerberos {-test}" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 3 730 KiB

[ebuild   R    ] sys-kernel/gentoo-sources-4.4.39:4.4.39::gentoo  USE="symlink -build -experimental" 86 157 KiB

Total: 3 packages (1 in new slot, 2 reinstalls), Size of downloads: 97 424 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-libs/openssl:0

  (dev-libs/openssl-1.0.2j:0/0::gentoo, ebuild scheduled for merge) conflicts with

    >=dev-libs/openssl-1.0.1h-r2:0[abi_x86_32(-),abi_x86_64(-)] required by (dev-qt/qtcore-4.8.6-r2:4/4::gentoo, installed)
```

But the result is the same.

----------

## Ramis

 *Markus09 wrote:*   

> Do you get no return from the server or some error message?
> 
> You could try in console with:
> 
> ```
> ...

 

Hi, Markus09!

Thanks for advice.

My connection in console gives me:

```
openssl s_client -connect https://localhost:9002/newstore/ru/?site=new

gethostbyname failure

gethostbyname failure

connect:errno=11
```

while Firefox output is:

```
An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
```

----------

## Hu

 *Ramis wrote:*   

> My connection in console gives me:
> 
> ```
> openssl s_client -connect https://localhost:9002/newstore/ru/?site=new
> 
> ...

 You misunderstood his instructions.  openssl s_client is not a browser.  It is a TLS-aware byte stream.  He specified to give a bare hostname:port because that is all you can give to openssl s_client.  You cannot give it a protocol scheme or a path, because it is designed to work with any TLS-aware service, not just https.

 *Ramis wrote:*   

> while Firefox output is:
> 
> ```
> An error occurred during a connection to localhost:9002. Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
> ```
> ...

 This is helpful.  It says the peer is broken, not the client.  Check the peer's error logs for details about what type of error it experienced.

----------

## Ramis

Hi Hu!

Thank you for reply.

I tried emerge dev-java/icedtea, but it failed:

```
 * Generating cacerts file from certificates in /usr/share/ca-certificates/

unable to load certificate

140661671573136:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

 * ERROR: dev-java/icedtea-7.2.6.8::gentoo failed (install phase):

 *   (no error message)

 * 

 * Call stack:

 *     ebuild.sh, line 115:  Called src_install

 *   environment, line 5009:  Called die

 * The specific snippet of code:

 *           openssl x509 -text -in "${c}" >> all.crt || die;

 *
```

So I think the problem is in certificates.

----------

## Markus09

Did you have a look into that folder?

E.g. with 

```
tree /usr/share/ca-certificates/
```

Is it empty? Does it contain something?

If you find .crt files you could check them with the tool 

```
file
```

 if at least they could be PEM certificates.

And if there is a file that is not, I'd move it temporary out and try to rebuild.

You could also try icedtea-bin, if it is an option for you.

----------

## Ramis

Hi Markus09!

```
c0426 ramis # tree /usr/share/ca-certificates/

/usr/share/ca-certificates/

└── cacert.org

    └── cacert.org_root.crt

1 directory, 1 file
```

```
c0426 ca-certificates # update-ca-certificates

Updating certificates in /etc/ssl/certs...

W: /usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt not found, but listed in /etc/ca-certificates.conf.

W: /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt not found, but listed in /etc/ca-certificates.conf.

W: /usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt not found, but listed in /etc/ca-certificates.conf.

W: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt not found, but listed in /etc/ca-certificates.conf.

...

grep: ACCVRAIZ1.pem: No such file or directory

WARNING: ACCVRAIZ1.pem does not contain a certificate or CRL: skipping

grep: ACEDICOM_Root.pem: No such file or directory

WARNING: ACEDICOM_Root.pem does not contain a certificate or CRL: skipping

```

----------

