[Risolto] Verifica certificato fallita - certificato non attendibile

[azioga]

Puoi postare il tuo /etc/apt/sources.list.d/docker.list ?

[Chryses]

certo

Codice: Seleziona tutto

$ cat /etc/apt/sources.list.d/docker.list
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian   bullseye stable

[azioga]

Sembra ok.

[azioga]

prova a verificare perchè da te dice:

Codice: Seleziona tutto

3077933 read(5, "102 Status\nMessage: Connected to"..., 64000) = 142
3077933 select(6, [5], [], NULL, {tv_sec=0, tv_usec=397850} <unfinished ...>
3077936 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

e da me non ha problemi

Codice: Seleziona tutto

7585  read(5, "102 Status\nMessage: Connessi a d"..., 64000) = 140
7585  select(6, [5], [], NULL, {tv_sec=0, tv_usec=436195} <unfinished ...>
7588  openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = 4

[Chryses]

Questo non lo avevo visto!
Stasera guardo, sembra che sia in sola lettura, a memoria però non ho mai toccato i permessi e/o i gruppi di appartenenza, ho anche reinstallato ca-certificates giusto ieri per essere sicuro.
Che permessi hai su quel file e/o cartella?

[azioga]

Codice: Seleziona tutto

ls -al /etc/ssl/certs
totale 592
drwxr-xr-x 2 root root  16384 16 ago  2021  .
drwxr-xr-x 4 root root   4096 11 set 17.04  ..

il file viene aperto per un accesso di sola lettura.

Codice: Seleziona tutto

$ ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 200313 16 ago  2021 /etc/ssl/certs/ca-certificates.crt

verifica anche i parents ed eventualmente l'altra macchina che funziona.

ca-certificates.crt è generato dopo l'installazione di ca-certificates con update-ca-certificates
da questo script che se vuoi te lo leggi poi te

Codice: Seleziona tutto

#! /bin/sh
# postinst script for ca-certificates
#
# see: dh_installdeb(1)

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#     post-installation script, and should be protected with a conditional
#     so that unnecessary prompting doesn't happen if a package's
#     installation fails and the `postinst' is called with `abort-upgrade',
#     `abort-remove' or `abort-deconfigure'.

set -e

each_value() {
 echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//' 
}

memberp() {
 m="$1"
 l="$2"
 each_value "$l" | grep -q "^$m\$"
}

delca() {
 m="$1"
 l="$2"
 echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//'
}

case "$1" in
    configure)
        if [ ! -e /usr/local/share/ca-certificates ]; then
            if mkdir -m $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
                chgrp $(stat -L -c %g /usr/local) /usr/local/share/ca-certificates
            fi
        # Handle upgrades and allow local admin to override:
        # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
        elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
            chmod $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates || true
            chown $(stat -L -c %u /usr/local):$(stat -L -c %g /usr/local) /usr/local/share/ca-certificates || true
        fi

        . /usr/share/debconf/confmodule
	db_version 2.0
	db_capb multiselect
	db_metaget ca-certificates/enable_crts choices
	CERTS_AVAILABLE="$RET"
	db_get ca-certificates/enable_crts
	CERTS_ENABLED="$RET"
	# XXX unmark seen for next configuration
	db_fset ca-certificates/new_crts seen false
	db_stop || true
	if test -f /etc/ca-certificates.conf; then
	  # XXX: while in subshell?
	  while read line
	  do
	    if echo "$line" | grep -q '^#'; then
	     echo "$line"
	    else
	     case "$line" in
	     !*) ca=$(echo "$line" | sed -e 's/^!//');;
	     *)   ca="$line";;
	     esac
	     if memberp "$ca" "$CERTS_ENABLED"; then
	       echo "$ca"
	       # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED")
         elif memberp "$ca" "$CERTS_AVAILABLE" ||
              echo "$line" | grep -q '^!'; then
           echo "!$ca"
         elif [ -f /usr/share/ca-certificates/"$ca" ] || \
              [ -f /usr/local/share/ca-certificates/"$ca" ]; then
           echo "$ca"
	     else
	       echo "!$ca"
	     fi
	     # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE")
	    fi
	  done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new
	  if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then
	      :
	  else
	    each_value "$CERTS_ENABLED" | while read ca
 	    do
	      if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then
		  :
	      else
		  echo "$ca" >> /etc/ca-certificates.conf.dpkg-new
	      fi
            done
	  fi
	  each_value "$CERTS_AVAILABLE" | while read ca
	  do
	    if memberp "$ca" "$CERTS_ENABLED"; then
		:
	    elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then
	        :
	    else
		echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new
	    fi
	  done
	  if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then
	    rm -f /etc/ca-certificates.conf.dpkg-new
	  else
	    mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old
	    mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf
	  fi
	else
	  # new file
	  cat > /etc/ca-certificates.conf <<EOF
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
EOF
	  (echo $CERTS_ENABLED | tr ',' '\n'; \
	   echo $CERTS_AVAILABLE | tr ',' '\n') | \
	    sed -e 's/^[[:space:]]*//' | \
	    sort | uniq -c | \
	    sed -e 's/^[[:space:]]*2[[:space:]]*//' \
	        -e 's/^[[:space:]]*1[[:space:]]*/!/' \
	    >> /etc/ca-certificates.conf
	fi
	# update /etc/ssl/certs without running the hooks
	# fix bogus symlink to ca-certificates.crt on upgrades; see
	# Debian #643667; drop after wheezy
	if dpkg --compare-versions "$2" lt-nl 20111025; then
	    update-ca-certificates --hooksdir "" --fresh
	else
	    update-ca-certificates --hooksdir ""
	fi
	# deferred update of /etc/ssl/certs including running the hooks
	dpkg-trigger --no-await update-ca-certificates
    ;;

    triggered)
	for trigger in $2; do
	    case "$trigger" in
		update-ca-certificates)
		    update-ca-certificates
		    ;;
		update-ca-certificates-fresh)
		    update-ca-certificates --fresh
		    ;;
		*)
		    echo "postinst called with unknown trigger \`$2'">&2
		    exit 1
		    ;;
	    esac;
	done;
	;;

    abort-upgrade|abort-remove|abort-deconfigure)

    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.



exit 0

[Chryses]

Trovato!
Tutti i file elencati e che stavamo guardando erano corretti, giusto il proprietario e il gruppo.
Ho però notato delle differenze, tra il mio e il server funzionante nei permessi dei file e delle cartelle in

Codice: Seleziona tutto

/etc/ssl

Ho impostato quindi gli stessi permessi e ora funziona, questi i permessi impostati:

Codice: Seleziona tutto

$ ls -lah /etc/ssl
total 52K
drwxr-xr-x   4 root root 4.0K Nov 25 22:23 .
drwxr-xr-x 120 root root  12K Dec 13 18:28 ..
drwxr-xr-x   2 root root  20K Dec 13 19:50 certs
-rw-r--r--   1 root root  11K Mar 23  2021 openssl.cnf
drwx------   2 root root 4.0K Nov 27 23:12 private

[azioga]

Perfetto!
L'abbiamo presa un po' larga, ma di certificati e chiavi non ne so mezza
Esperienza utile anche per me.
Metti [RISOLTO] modificando il titolo del tuo primo post se lo ritieni tale.

[Chryses]

A bhè si va a tentativi, come al solito!
Grazie per l'interessamento.