Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is there a way to ignore certificate validation when updating all the packages using yay command 'yay -syu' ? #2469

Open
souhaiebtar opened this issue Jul 9, 2024 · 1 comment
Open

is there a way to ignore certificate validation when updating all the packages using yay command 'yay -syu' ? #2469

souhaiebtar opened this issue Jul 9, 2024 · 1 comment
Labels
Status: Triage Type: Bug

Comments

@souhaiebtar
Copy link

Affected Version

yay v12.3.5 - libalpm v14.0.0

Describe the bug

i'm running Archlinux on wsl2 and now when i try to upgrade all packages it showing the error
" failed to verify certificate: x509: certificate signed by unknown authority", which i think is related to the company is using self signed certificate.
i even used the variable "--skipinteg", but verification alway happen,
do you have any solution and thank you

Reproduction Steps

Expected behavior

Output






















 




















@frenchbeard












 








Copy link
 

 













frenchbeard

commented
Oct 4, 2024








edited








 Loading






















Since the issue is with the validity of the certifcate, you necessarily have the ability to connect to the repo, so you should go the following way :


    

  • retrieve the self-signed certificate :
    • 



openssl s_client YOUR_REPO:443 < /dev/null | openssl x509 -outform PEM > YOUR_REPO.crt



    

  • add it to your system's recognized CAs (command valid for current Archlinux) :
    • 



trust anchor YOUR_REPO.crt



And there shouldn't be any issue regarding certificate validation.


If the "self-signed" component is not the cert itself but one of the parent certificates, same process but changing the s_client to s_client -showcerts to get the full chain in the first command, including the problematic certificate.


This doesn't address the lack of option issue, but should solve the underlying error (and suggestion should be made to provide the offending cert / CA inside the company itself, to actually use "proper" TLS when distributing packages that can run privileged code on your machine by design).


































 














 










Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment









 







Assignees



No one assigned







Labels





Status: Triage


Type: Bug











Projects







None yet


 







Milestone


No milestone












Development



No branches or pull requests


 











2 participants





@frenchbeard
 
@souhaiebtar