aral, 1 year ago

Right, well, first the good news: It doesn’t look like anything has changed in how Chrom(ium) handles certificates installed in the system trust store.

Now the bad news: I have no idea why the certificate authority that was previously trusted on my main development machine is now showing up as untrusted. Could a Fedora Silverblue update have broken it? Will keep looking into it.

🤔

#Kitten #AutoEncryptLocalhost #SmallWeb #Chrome #Chromium #tls #web #dev

jan, 1 year ago

@aral Is the package ca-certificates installed and linked to /etc/ssl/certs?

aral, 1 year ago

@jan Yep, ca-certificates is installed. Going to look into the configuration now :)

aral, 1 year ago

@jan Really odd… comparing the machine where it works with the one where it doesn’t:

• /etc/pki/ca-trust are same on both machines (inc. permissions)

• /etc/ssl/certs/ca-certificates.crt is symlinked to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on both

• On both, following shows the cert has been added correctly: cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | rg Local

However, only on the machine that works does this show the cert: trust list --filter=ca-anchors | rg Local

jan, 1 year ago

@aral I think you need to execute update-ca-trust or?

aral, 1 year ago

@jan Have done. I wonder if it’s not sticking for some reason. (And, oddly, it stopped working so the CA was trusted before.) Odd.

aral, 1 year ago

@jan (And, weirdly, curl has no trouble connecting using it. Neither does Firefox. It’s just Chrome.)

jan, 1 year ago

@aral Ah ok then some Chrome issue.

jan, 1 year ago

@aral Maybe you can try Chromium.

aral, 1 year ago

@jan Yeah, same issue in both. Very odd. But I feel the real issue is with the trust command not returning the cert. Going to look into it further. Thanks for talking it through with me :)

aral, 1 year ago

@jan In case you don’t see it: the culprit was… drumroll Homebrew 👀

https://mastodon.ar.al/@aral/110265146490051342

jan, 1 year ago

@aral Never used brew on Linux, interesting.

aral, 1 year ago

So I figured out what the problem is: #Homebrew. Looks like at some point I installed something with brew that installed @python3.11 and @openssl – that installed ca-certificates and p11-kit via #brew and those messed up my system trust store. Similar to the issue I had with systemd as it looks like brew installed systemd for something as well.

(Remember, I’m on #FedoraSilverblue – an immutable OS, so I was trying out Brew as an account-level package manager. Turn out, not a great idea.)

kaffeetrinkr, 1 year ago

@aral
This encourages me to stick with my current approach use toolbox for almost everything.

frost, 1 year ago

@aral I’m not on Fedora Silverblue (but on another Linux distro), but I’ve since long come to the conclusion that I think brew on Linux does too many things. There’s already a working package manager for system level packages (like ca-certificates etc), and if, or rather when, I want/need to use different Python versions, I find that pyenv works well, especially with the pyenv-virtualenv plugin.

For most other language version shenanigans, I use asdf-vm.

ck, 1 year ago

@aral you can try #nix as an account level package manager. Yes, I know, nix is kind of a love or hate it thing, but it will never install anything system wide, everything is contained in the nix store and easy to get rid of if you figure you don't like it.

svyaene, 1 year ago

@aral You aren't using Pop!_OS or ElementaryOs anymore?

aral, 1 year ago

@svyaene Nope. Either is a fine choice but I’m very much enjoying the stability and predictability of Silverblue and the experience of vanilla GNOME.

screenbeard, 1 year ago

deleted_by_author

aral, 1 year ago

@screenbeard Hahaha, too true :) Which is a problem I hadn’t had with Silverblue until I decided to mess with brew :)

billday, 1 year ago

@aral Yet another reason to use Firefox.