Reply to Message

View discussion in a popup

Replying to:
admin
Immortal
Immortal

Here's the relevant error from Player's log:

2014-06-17T12:58:07.035+02:00| player| I120: CDS: Using NONE proxy :0 for https://softwareupdate.vmware.com/cds/index.xml.
2014-06-17T12:58:07.528+02:00| player| I120: SSL_SetVerifyCb: ctx=7F75EBF780C0 func=7F75DA251180 data=7F75EBC732B0
2014-06-17T12:58:07.573+02:00| player| I120: SSL_GetCertErrors: OpenSSL internal validation failed! state->errors is 1152
2014-06-17T12:58:07.573+02:00| player| A115: Software Updates: SSL certificate errors: 0x480
2014-06-17T12:58:07.573+02:00| player| A115: Software Updates: Cert error: A certificate in the host's chain is explicitly not trusted.
2014-06-17T12:58:07.573+02:00| player| A115: Software Updates: Cert error: A certificate in the host's chain is based on an untrusted root.
2014-06-17T12:58:07.575+02:00| player| I120: CDS: cURL error: Peer certificate cannot be authenticated with known CA certificates (60)
2014-06-17T12:58:07.575+02:00| player| I120: CDS: Change client state to CDS_HTTP_CERTIFICATE_ERROR, 0 bulletins available

The first "Cert error" line maps to OpenSSL's X509_V_ERR_CERT_UNTRUSTED error. The second "Cert error" line maps to X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. The documentation for X509_V_ERR_CERT_UNTRUSTED isn't very helpful:

the root CA is not marked as trusted for the specified purpose.

Fortunately, the description of X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT is a bit more helpful:

the issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

Normally, Debian rolls the contents of /etc/ssl/certs up into /etc/ssl/certs/ca-certificates.crt (essentially, it just cats them all together into one big file), but perhaps something went wrong when it attempted to do this. Is the contents of Baltimore_CyberTrust_Root.pem present in /etc/ssl/certs/ca-certificates.crt?

Reply
0 Kudos