Aral Balkan
Great, it looks like whatever they changed in Chrome no longer trusts Kitten’s¹ local certificate authority (installed and trusted by the system trust store, as you’d do in a *spit* enterprise).
Applies to previously trusted and working certificates too.
(The directly related module is Auto Encrypt Localhost²)
Going to look into it today and see if I can’t find a workaround.
FFS…
¹ https://codeberg.org/kitten/app
² https://codeberg.org/small-tech/auto-encrypt-localhost
Aral Balkan
Right, well, first the good news: It doesn’t look like anything has changed in how Chrom(ium) handles certificates installed in the system trust store.
Now the bad news: I have no idea why the certificate authority that was previously trusted on my main development machine is now showing up as untrusted. Could a Fedora Silverblue update have broken it? Will keep looking into it.
🤔
#Kitten #AutoEncryptLocalhost #SmallWeb #Chrome #Chromium #tls #web #dev
Aral Balkan
@jan Yep, ca-certificates is installed. Going to look into the configuration now :)
Jan
@aral Is the package ca-certificates installed and linked to /etc/ssl/certs?
Aral Balkan
@jan Really odd… comparing the machine where it works with the one where it doesn’t:
- /etc/pki/ca-trust are same on both machines (inc. permissions)
- /etc/ssl/certs/ca-certificates.crt is symlinked to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on both
- On both, following shows the cert has been added correctly: cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | rg Local
However, only on the machine that works does this show the cert: trust list --filter=ca-anchors | rg Local
Aral Balkan
@jan Have done. I wonder if it’s not sticking for some reason. (And, oddly, it _stopped_ working so the CA _was_ trusted before.) Odd.
Jan
@aral I think you need to execute update-ca-trust or?
Aral Balkan
@jan (And, weirdly, curl has no trouble connecting using it. Neither does Firefox. It’s just Chrome.)
Aral Balkan
@jan Yeah, same issue in both. Very odd. But I feel the real issue is with the trust command not returning the cert. Going to look into it further. Thanks for talking it through with me :)
Jan
@aral Maybe you can try Chromium.
Jan
@aral Ah ok then some Chrome issue.
Aral Balkan
So I figured out what the problem is: #Homebrew. Looks like at some point I installed something with brew that installed @python3.11 and @openssl@1.1 – that installed ca-certificates and p11-kit via #brew and those messed up my system trust store. Similar to the issue I had with systemd as it looks like brew installed systemd for something as well.
(Remember, I’m on #FedoraSilverblue – an immutable OS, so I was trying out Brew as an account-level package manager. Turn out, not a great idea.)
Aral Balkan
@jan In case you don’t see it: the culprit was… *drumroll* Homebrew 👀
screenbeard :Kinoite:
@aral every problem I've ever had with Linux has been some variation on "I'll install this thing that looks interesting. Oh, it requires a different version of Python than I have running. Oh, now nothing works and my machine no longer boots".
Aral Balkan
@screenbeard Hahaha, too true :) Which is a problem I hadn’t had with Silverblue until I decided to mess with brew :)
Aral Balkan
@kaffeetrinkr Yeah, I’ll be sticking to rust and go CLI apps whenever possible (installed via cargo and go) and, if I need to build something myself, toolbox.
Kaffeetrinkr
@aral
This encourages me to stick with my current approach use toolbox for almost everything.
Sebastian
@aral You aren't using Pop!_OS or ElementaryOs anymore?
Aral Balkan
@svyaene Nope. Either is a fine choice but I’m very much enjoying the stability and predictability of Silverblue and the experience of vanilla GNOME.
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.