AUR (en) - ca-certificates-fnmt

Search Criteria

Enter search criteria

Search by

Keywords

Out of Date

Sort by

Sort order

Per page

Package Details: ca-certificates-fnmt 20250406-1

Package Actions

Git Clone URL:	https://aur.archlinux.org/ca-certificates-fnmt.git (read-only, click to copy)
Package Base:	ca-certificates-fnmt
Description:	Spanish Fabrica Nacional de Moneda y Timbre (FNMT) y Real Casa de la Moneda (RCM) certificates
Upstream URL:	https://www.sede.fnmt.gob.es
Licenses:	unknown
Submitter:	blackleg
Maintainer:	sl1pkn07
Last Packager:	sl1pkn07
Votes:	19
Popularity:	0.000156
First Submitted:	2015-10-02 20:07 (UTC)
Last Updated:	2025-04-06 13:26 (UTC)

Dependencies (2)

Required by (2)

Sources (38)

Latest Comments

1 2 3 4 5 6 Next › Last »

poinu commented on 2025-04-05 17:51 (UTC) (edited on 2025-04-05 17:55 (UTC) by poinu)

Thanks @sl1pkn07 for maintaining this package, it's very helpful.

As someone else posted, I also get the following curl error while trying to download the certificates:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I've investigated a bit and the issue is caused by the following: The package gets all the FNMT certs from https://www.sede.fnmt.gob.es, but the website itself is reached through HTTPS, and it is signed with a certificate chain.

The certificate chain is composed with: AC RAIZ FNMT-RCM > AC Componentes Informáticos > www.sede.fnmt.gob.es (server cert)

'AC RAIZ FNMT-RCM' is provided by the ca-certificates-mozilla package and will most likely be found in your system CA certs. The server cert for www.sede.fnmt.gob.es is provided by the webserver serving the page, but the webserver doesn't provide the intermediate certificate ('AC Componentes Informáticos'), and curl fails to verify the server certificate and gives the previous error.

The browsers don't give an error because they are able to obtain the intermediate certificate through the AIA (Authority Information Access) extension, which tells them where to download the missing intermediate certificate. Curl, however, doesn't do this automatically.

In this case the server certificate contains the following AIA details:

            Authority Information Access: 
                OCSP - URI:http://ocspcomp.cert.fnmt.es/ocsp/OcspResponder
                CA Issuers - URI:http://www.cert.fnmt.es/certs/ACCOMP.crt

From this we can pull the intermediate cert ACCOMP.crt (through HTTP!) and use that to complete the certificate chain. Note that ACCOMP.crt is nothing but the cert for 'AC Componentes Informáticos' which is also downloaded by this package, they have the exact same SHA sum.

Once we have the cert we can extract the pem with the following command:

openssl x509 -in ACCOMP.crt -out ACCOMP.pem

And make it available to curl it to curl with:

CURL_CA_BUNDLE=./ACCOMP.pem curl ...

with which it should no longer fail.

As per the changes required to fix this in the PKGBUILD, we should probably add ca-certificates-mozilla package as a dependency (to make sure the root cert is in the CA), and download and install ACCOMP.pem from http://www.cert.fnmt.es/certs/ before trying to download any other certs, but I don't know what would be the best way to achieve this (maybe playing with DLAGENTS?).

pmestre commented on 2024-12-20 12:11 (UTC) (edited on 2024-12-20 12:14 (UTC) by pmestre)

Working as today sha256sums=(

'ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa'

'601293ca20b09a03295d196256c6953ff9eba811db8e3ce140413c1bffe9a869'

'8fd16a179944d5d1d420af09405eda7abf2a9c742883e8c2f89e0d90afaf754b'

'830ff205ae69485059c3fb2376a7f2f9ee1c2a61de259dd09d0bb6ad69f88832'

'f038421f07f20d63a20d3691e5a178ab8459ebe570c1647b7690554ef23876ab'

'8265756dd5cd8a37ee61e40351288e4b16a89dd248c1ec4eba25aaf161abf498'

'9ce630b35f8ae2c6419e734ad9d2fa30476dd9e7394b1e93b27f83f776a024ea'

'554153b13d2cf9ddb753bfbe1a4e0ae08d0aa4187058fe60a2b862b2e4b87bcb'

'1edb6bd91274882db795bfc514f8aabe10ad955cbccfd3fd5a5b5febb2ce5b68'

'9ff23cb9387b9e0083bd5aa1954eeddf792890aa8e67cd4d38dd28af4a439ad8'

'19001c4ba4846d17809b25f90a94d1cab20a86777968737ce4b34bb9d7eae078'

'5320d7a5dfc8023cedb0c233363a318eb1daa3d35d02b5d986dca2b5b98393b3'

'9dd74806fd1e3ed1cf65cf04764f034e7e04bf23c753f2aff3c749cd45227f11'

'4c7d254f258cb71db48d17f6134e7e8d8b47a5f886bd85f397bd47a2750297f2'

'e40f1d8891bbe0243306e70f4c0d34199f788958be1e40261b3ab4b957382c29'

'988a86178185162999bb6f0ade55c3ff0047b58ba0088f0e308e194456cf22d2'

'b1ae56dfacbb14838b9208567a8952ef977ea5ae61609dc4dd1140f4ac8b60e3'

'f91deaa0faef3bd9d2c9764ab9b14d17ce69427f785a1bf76d38222660976619'

'10f54909204a9ec23e9e9317739a521499018ed5316fdae6a7367ac00d5a5660'

'b03f7cc682d2f0a7c1d195692cc0de4c35ad017294955d35f6eb743fe78595f3'

'fcfd3df490b9a21b3fad582011a2e6d039561796ac5d850d01b65ac5dda4a3e9'

'baf597d97d16bc697f8eb2a1e20ce68c08ad11024f9b1f5264271c1525eeb500'

)

marcosag commented on 2024-12-11 16:38 (UTC)

I get this errors: curl: (60) SSL peer certificate or SSH remote key was not OK More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above.

bike-bill commented on 2024-09-28 22:50 (UTC) (edited on 2024-09-28 22:51 (UTC) by bike-bill)

Here is a working set as of 2024 Sept 24: