1

Many shell applications are throwing SSL certificate errors. I'm not aware of anything that could have caused this. apt, Google Chrome, Discord all work fine.

Already tried: Problem with certificates

Examples:

YouTube-dl: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)> (caused by URLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

wget: ERROR: cannot verify www.google.com's certificate, issued by ‘CN=GTS CA 1O1,O=Google Trust Services,C=US’: Unable to locally verify the issuer's authority. To connect to www.google.com insecurely, use `--no-check-certificate'.

UPDATE:

The time on my machine is correct. (I checked just to be sure)

dpkg -l | grep cert comes up with the following packages:

ii  ca-certificates                            20180409                                     all          Common CA certificates
ii  ca-certificates-java                       20180516ubuntu1~18.04.1                      all          Common CA certificates (JKS keystore)
ii  dirmngr                                    2.2.4-1ubuntu1.2                             amd64        GNU privacy guard - network certificate management service
ii  python3-certifi                            2018.1.18-2                                  all          root certificates for validating SSL certs and verifying TLS hosts (python3)
ii  ssl-cert                                   1.0.39                                       all          simple debconf wrapper for OpenSSL

UPDATE 2:

which openssl succesfully returns that OpenSSL is installed in /usr/local/bin/openssl.

ldd $(which wget) returns:

    linux-vdso.so.1 (0x00007ffda9b23000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f2edddd0000)
    libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f2eddbc8000)
    libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f2edd9a8000)
    libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007f2edd710000)
    libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007f2edd218000)
    libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5 (0x00007f2edd008000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2edcc10000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f2edc9f0000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f2ede2d0000)
    libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f2edc670000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2edc468000)

UPDATE 3:

dpkg -l | grep openssl returns:

ii  openssl                                                     1.1.1-1ubuntu2.1~18.04.4                                    amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  perl-openssl-defaults:amd64                                 3build1                                                     amd64        version compatibility baseline for Perl OpenSSL packages

UPDATE 4:

sudo apt install --reinstall openssl solved wget, but python apps like youtube-dl and do-release-upgrade are still reporting certificate issues.

CONCLUSION

Reinstalled Ubuntu

Johnystar
  • 131
  • 1
  • 1
  • 7
  • Is the time correct on your machine? Many times the time was incorrect on my laptop which would make the certs invalid. – Gordster Aug 28 '19 at 16:44
  • Please show `dpkg -l | grep cert` – nobody Aug 28 '19 at 16:45
  • Yes, I even checked just to be sure. @Gordster – Johnystar Aug 28 '19 at 18:18
  • I updated the question with additional information, @nobody . – Johnystar Aug 28 '19 at 18:18
  • No ,wrong idea. `which openssl` and `ldd $(which wget)` – nobody Aug 29 '19 at 13:06
  • I added the output of the commands to my question @nobody – Johnystar Aug 29 '19 at 15:20
  • Is `ca-certificates` installed on your computer? – Thomas Ward Aug 29 '19 at 15:25
  • @ThomasWard yes, even running `sudo update-ca-certificates` works without a problem. – Johnystar Aug 29 '19 at 15:28
  • I thing the Problem lies in your openssl in /usr/local/bin/ this is not the standart . `which openssl /usr/bin/openssl` – nobody Aug 29 '19 at 15:51
  • @nobody What can I do about it? Should I try copying it over? – Johnystar Aug 29 '19 at 17:00
  • How did you install the openssl? `dpkg -l | grep openssl` And `tree /usr/local/` It seemed you have compilled something by your own. – nobody Aug 29 '19 at 17:53
  • I'm not sure, but it might be possible. I believe (I might be wrong) I compiled OpenSSL because I needed it for Kore, however I'm a C noob and might have done something wrong. I think I should be able to uninstall my version of OpenSSL and apt install it from Ubuntu's repositories, right? I'm not quite sure how I'd do that though. @nobody – Johnystar Aug 30 '19 at 15:20
  • @nobody nevermind ended up backing up my home directory (didn't have it set up as a separate partition) and installed Ubuntu 19.04 with a separate home partition – Johnystar Sep 01 '19 at 10:46

1 Answers1

2

The issue I found on my Ubuntu with Python was that I upgraded pip install --upgrade certifi... And then it took me hours trying to understand why things do not work... Only once I had seen different versions here, that I started thinking in the right direction...

vitaliy@vitalnuc01:~/HANAClientsTutorial/python$ dpkg -l | grep python3-certifi
ii  python3-certifi                            2018.1.18-2                                         all          root certificates for validating SSL certs and verifying TLS hosts (python3)
vitaliy@vitalnuc01:~/HANAClientsTutorial/python$ pip3 search certifi
...
certifi (2020.4.5.1)                        - Python package for providing Mozilla's CA Bundle.
  INSTALLED: 2020.4.5.1 (latest)
...

So...

pip3 uninstall certifi
sudo apt-get install --reinstall python3-certifi

...and Python-based programs started working for me again.

And yes, I was close to reinstalling my Ubuntu as well :)

Vitaliy R
  • 21
  • 3