GNOME Bugzilla – Bug 797078
Website certificate error: gstreamer.freedesktop.org
Last modified: 2018-11-03 10:24:43 UTC
I am using Cerbero with the command `./cerbero-uninstalled package gstreamer-1.0` I get an error: [(65/80) spandsp -> fetch ] -----> Fetching tarball http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz to /home/ding/github/gstreamer/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz Downloading http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz Running command 'wget http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz -O /home/ding/github/gstreamer/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz ' --2018-09-04 15:46:28-- http://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz Resolving www.soft-switch.org (www.soft-switch.org)... 209.105.235.30 Connecting to www.soft-switch.org (www.soft-switch.org)|209.105.235.30|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz [following] --2018-09-04 15:46:28-- https://www.soft-switch.org/downloads/spandsp/spandsp-0.0.6.tar.gz Connecting to www.soft-switch.org (www.soft-switch.org)|209.105.235.30|:443... connected. ERROR: cannot verify www.soft-switch.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to www.soft-switch.org insecurely, use `--no-check-certificate'. Downloading https://gstreamer.freedesktop.org/src/mirror/spandsp-0.0.6.tar.gz Running command 'wget https://gstreamer.freedesktop.org/src/mirror/spandsp-0.0.6.tar.gz -O /home/ding/github/gstreamer/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz ' --2018-09-04 15:46:29-- https://gstreamer.freedesktop.org/src/mirror/spandsp-0.0.6.tar.gz Resolving gstreamer.freedesktop.org (gstreamer.freedesktop.org)... 131.252.210.176, 2610:10:20:722:a800:ff:feda:470f Connecting to gstreamer.freedesktop.org (gstreamer.freedesktop.org)|131.252.210.176|:443... connected. ERROR: cannot verify gstreamer.freedesktop.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to gstreamer.freedesktop.org insecurely, use `--no-check-certificate'. Recipe 'spandsp' failed at the build step 'fetch' Select an action to proceed: [0] Enter the shell [1] Rebuild the recipe from scratch [2] Rebuild starting from the failed step [3] Skip recipe [4] Abort
You probably need to update your distribution. It seems it's lacking a recent copy of the certificate roots.
Both soft-switch and gstreamer.fdo have valid certificates. That being said, did we backport the fix to prevent using the locally built gnutls/openssl to the 1.14 branch ?
I ran into the same issue. When called through cerbero, wget fails to download the spandsp tarball. But, when running wget in the terminal directly, it succeeds: $ wget https://gstreamer.freedesktop.org/src/mirror/spandsp-0.0.6.tar.gz -O /home/ihalip/Projects/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz --2018-10-28 12:12:21-- https://gstreamer.freedesktop.org/src/mirror/spandsp-0.0.6.tar.gz Resolving gstreamer.freedesktop.org (gstreamer.freedesktop.org)... 131.252.210.176, 2610:10:20:722:a800:ff:feda:470f Connecting to gstreamer.freedesktop.org (gstreamer.freedesktop.org)|131.252.210.176|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3309837 (3,2M) [application/x-gzip] Saving to: ‘/home/ihalip/Projects/cerbero/build/sources/local/spandsp-0.0.6/spandsp-0.0.6.tar.gz’ [....]
This is happening because the system wget is using the openssl libraries in $CERBERO/build/dist/$SYSTEM/lib, which have the value for OPENSSLDIR derived from --prefix=... . In my case, OPENSSLDIR as seen here is not even created: ihalip@ihalip-pc:~/Projects/cerbero/build/dist/linux_x86_64/bin$ LD_LIBRARY_PATH=../lib ./openssl version -a OpenSSL 1.1.1 11 Sep 2018 built on: Sun Oct 28 09:37:19 2018 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(8x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -Wall -g -O2 -m64 -Wall -g -O2 -m64 -fPIC -pthread -m64 -Wa,--noexecstack -Wall -g -O2 -m64 -Wall -g -O2 -m64 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG OPENSSLDIR: "/home/ihalip/Projects/cerbero/build/dist/linux_x86_64/ssl" ENGINESDIR: "/home/ihalip/Projects/cerbero/build/dist/linux_x86_64/lib/engines-1.1" Seeding source: os-specific It's possible to reuse the system's openssl directory in multiple ways (passing it to openssl's Configure, or symlinking $CERBERO_PREFIX/ssl to it, or passing it to wget directly) but this requires the openssl binary to be installed on the build machine - to tun `openssl version -d`.
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/gstreamer/cerbero/issues/74.