Question

14

Permission Issues with /etc/ssl/certs/ca-certificates.crt

rated 0 times [ 14] [ 0] / answers: 1 / hits: 60928 / 2 Years ago, wed, may 11, 2022, 10:02:13

When trying to curl or git clone something over HTTPS as a regular user, it fails with the error:

fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)

Note: If i run the commands as root, it works fine, but root should not be the only user able to communicate over ssl.

So I think to myself, ok, what's curl doing behind the scenes:

$ GIT_CURL_VERBOSE=1 git clone https://github.com/mikemackintosh/xxx

Cloning into 'xxx'...

* Couldn't find host github.com in the .netrc file; using defaults

* Hostname was NOT found in DNS cache

*   Trying 192.30.252.130...

* Connected to github.com (192.30.252.130) port 443 (#0)

* error reading ca cert file /etc/ssl/certs/ca-certificates.crt (Error while reading file.)

* Closing connection 0

fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)

As a result, we are able to confirm the ca-certificate file is: /etc/ssl/certs/ca-certificates.crt which matches curl-config -ca output.

The next step is to try and read the file. As just a plain-old, non-root user:

$ cat /etc/ssl/certs/ca-certificates.crt

cat: /etc/ssl/certs/ca-certificates.crt: Permission denied

Now that seems strange.

$ sudo ls -la /etc/ssl/certs/ca-certificates.crt

-rw-r--r-- 1 root root 273790 Jun 15 22:35 /etc/ssl/certs/ca-certificates.crt



$ sudo lsattr /etc/ssl/certs/ca-certificates.crt

-------------e-- /etc/ssl/certs/ca-certificates.crt

So looking at the permissions, it is world-readable. There should be no problem accessing it. No crazy attributes preventing access.

doing an ls -la /etc/ssl/certs/ returns:

...

l????????? ? ? ? ?            ? Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem

l????????? ? ? ? ?            ? VeriSign_Universal_Root_Certification_Authority.pem

l????????? ? ? ? ?            ? Visa_eCommerce_Root.pem

l????????? ? ? ? ?            ? WellsSecure_Public_Root_Certificate_Authority.pem

l????????? ? ? ? ?            ? WoSign_China.pem

l????????? ? ? ? ?            ? WoSign.pem

...

If I run a sudo cat /etc/ssl/certs/ca-certificates.pem, it spits out the contents as expected.

Oh, this is for sure a permissions issue.

Doing some googling, i've found that there is an ssl-cert group, but this group does not have rights to the /etc/ssl/certs directory.

Ruled out apparmor, ruled out disk corruption, there is no improvement if I run update-ca-certificates (w/wo -f), etc.

Has anyone seen this behavior?

I have never seen anything like this before, but I have duplicated it on two separate machines. As a note, I do come from a CentOS/RHEL background, so this could be a normal behavior of Ubuntu, but i'd love to find out a real solution.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

humbire

Add To Favorites

Follow

Total Points: 55

Total Questions: 93

Total Answers: 113

Location: Oman

Member since Fri, Dec 23, 2022

1 Year ago

humbire questions

1 Nvidia driver not working on Ubuntu 22.04

Thu, May 13, 21, 02:28, 3 Years ago

1 How do i uninstall all the pre-installed games on Ubuntu 22.04 LTS

Sat, Sep 10, 22, 15:57, 2 Years ago

1 Alt Gr key no longer a level 3 shift ater upgrating to 21.10

Sat, Dec 17, 22, 09:12, 1 Year ago

1 How do I completely remove Steam or .deb file?

Sun, Oct 24, 21, 14:23, 3 Years ago

1 Open Alacritty terminal emulator on keyboard shortcut

Wed, May 17, 23, 22:16, 1 Year ago

View All

answered 2 Years ago stantildlike · Accepted Answer

Run namei -mo /etc/ssl/certs/ca-certificates.crt. Match its output to the following:

f: /etc/ssl/certs/ca-certificates.crt

 drwxr-xr-x root root /

 drwxr-xr-x root root etc

 drwxr-xr-x root root ssl

 drwxr-xr-x root root certs

 -rw-r--r-- root root ca-certificates.crt

You can use chmod and chown to get everything back to the correct settings:

sudo chown root / && chown root /etc/ && chown root /etc/ssl/ && chown root /etc/ssl/certs/ && chown root /etc/ssl/certs/ca-certificates.crt

sudo chmod 755 /

sudo chmod 755 /etc/

sudo chmod 755 /etc/ssl/

sudo chmod 755 /etc/ssl/certs

sudo chmod 644 /etc/ssl/certs/ca-certificates.crt