gnutls 3.6.16 on MacOS 10.15.7 fails to generate certificate bundle from keychain #81022
Comments
|
What is the output when you run |
|
|
How about |
|
|
There aren't really any extra logs during the post-install, so it probably won't give much information without modifying the Formula with extra After running postinstall, can you check your Maybe delete the file before rerunning postinstall to make sure it is getting generated. If it gets generated with certificates, that should mean that at least first/last commands are working. Hard to tell what is exactly wrong in this situation though
If there is a file generated but it is empty, there are multiple possibilities:
If no file is generated, that is an odd situation. I would expect something to error if this happened. |
The file is definitely getting generated since when I run I found that when I run So I ran |
|
I wish I know and understood Ruby so I could troubleshoot the code. I checked the paths in the formula and they look fine. Important note: When brew generates the certificates, gnutls finds 3, see below: These three are from Conclusion: for one reason or another the brew formula is not correctly adding the certificates from |
|
From your command, the important line is The 3 certificates should refer to what is received from website (similar to what you may see on your Web Browser when you click the "lock" icon on an HTTPS page) Based on your reply, it is possible the certificates in Perhaps try:
|
The commands ran successfully, the root certs seem fine because when cert.pem is generated manually gnutls says |
|
Hard to say why your system is filtering out the certificates. --- a/Formula/gnutls.rb
+++ b/Formula/gnutls.rb
@@ -88,6 +88,7 @@ class Gnutls < Formula
certs = certs_list.scan(
/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m,
)
+ ohai "#{certs.length} certificates found"
# Check that the certificate has not expired
valid_certs = certs.select do |cert|
@@ -98,6 +99,7 @@ class Gnutls < Formula
$CHILD_STATUS.success?
end
+ ohai "#{valid_certs.length} non-expired certificates"
# Check that the certificate is trusted in keychain
trusted_certs = begin
@@ -115,6 +117,7 @@ class Gnutls < Formula
ensure
tmpfile&.close!
end
+ ohai "#{trusted_certs.length} trusted certificates"
pkgetc.mkpath
(pkgetc/"cert.pem").atomic_write(trusted_certs.join("\n") << "\n")And then rerun the ❯ brew postinstall gnutls
==> Postinstalling gnutls
==> Regenerating CA certificate bundle from keychain, this may take a while...
==> 169 certificates found
==> 166 non-expired certificates
==> 166 trusted certificatesTo try to see where the number of certificates drop. |
Sorry for the stupid question but how could I apply the patch to the formula locally? |
|
You can do and apply the patch manually. Don't forget to when you're done to undo your changes. |
|
Output with added debug info is: |
Now I am not sure what is happening as postinstall sees 165 certificates before writing the file. The last easy thing to check would be the size/permissions of the file, e.g. ❯ ls -al "$(brew --prefix)/etc/gnutls/"
total 260
drwxr-xr-x 3 cho-m admin 96 Jul 16 19:27 .
drwxrwxr-x 28 cho-m admin 896 Jul 16 14:09 ..
-rw-r--r-- 1 cho-m admin 264162 Jul 16 19:27 cert.pem
❯ wc "$(brew --prefix)/etc/gnutls/cert.pem"
4334 4666 264162 /usr/local/etc/gnutls/cert.pem
❯ grep "BEGIN CERT" "$(brew --prefix)/etc/gnutls/cert.pem" | wc -l
166 |
|
Seems like I get totally different results when selecting all certificates under System Roots in Keychain.app and export them, versus running following command: and using the certificates exported using Keychain.app solves the problem: |
|
I guess I found the culprit. Removing with without |
|
I met the same issue with openconnect has became broken after recent update of Homebrew. Digging deeper showed that now gnutls gets all certificates from System keychain into its trust store. This keychain contains certificates "com.apple.kerberos.kdc". On some macOS systems such certificates may have duplicating extensions which makes them invalid for gnutls. But due to the logic bug gnutls drops the whole trust store if such certificate is met. That's why some of us get Here's the ticket I've filed to gnutls upstream: https://gitlab.com/gnutls/gnutls/-/issues/1255. From my point we need to manually filter out either certs with duplicating extensions or all "com.apple.kerberos.kdc" when building trust store. |
Due to [1] gnutls may drop the whole trust store if there's at least one certificate with duplicating extensions. I'm not 100% sure but most likely macOS may have "com.apple.kerberos.kdc" certificate to be of such kind. So let's filter them out when building trust store. [1] https://gitlab.com/gnutls/gnutls/-/issues/1255 (Homebrew#81022)
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
Has this been fixed in the end (upsteam)? |
My pull request with suggested fix is still not approved. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Due to [1] gnutls may drop the whole trust store if there's at least one certificate with duplicating extensions. I'm not 100% sure but most likely macOS may have "com.apple.kerberos.kdc" certificate to be of such kind. So let's filter them out when building trust store. [1] https://gitlab.com/gnutls/gnutls/-/issues/1255 (#81022)
|
Closed in #81851. Apologies for the delay here! |
and others
brew gist-logs <formula>link ORbrew configANDbrew doctoroutputbrew updateand am still able to reproduce my issue.brew doctorand that did not fix my problem.What were you trying to do (and why)?
I was trying to use and install gnutls as its required by weechat to connect with SSL on IRC servers
What happened (include all command output)?
The issue
I was trying to use gnutls with weechat (weechat uses TLS/SSL to connect to some servers) but I kept getting the error (while it was working fine previously)
The certificate is NOT trusted. The certificate issuer is unknown.. This happens generally when using gnutls as seen below.The solution
The issue was only fixed when I manually when into keychain and regenerated a certificate bundle and placed it into
/usr/local/etc/gnutls/cert.pem. See image below.This is something which the homebrew formula (should be doing according to its output):
Regenerating CA certificate bundle from keychain, this may take a while.... For some reason it is failing.What did you expect to happen?
I expected to be able to connect with SSL to servers. Successful invocation found below.
As seen above gnutls finds all the certificates and is able to successfully complete the handshake.
Step-by-step reproduction instructions (by running
brewcommands)The text was updated successfully, but these errors were encountered: