Mastodawn

#Kitten #AutoEncryptLocalhost #SmallWeb #Chrome #Chromium #tls #web #dev

Aral Balkan

Right, well, first the good news: It doesn’t look like anything has changed in how Chrom(ium) handles certificates installed in the system trust store.

Now the bad news: I have no idea why the certificate authority that was previously trusted on my main development machine is now showing up as untrusted. Could a Fedora Silverblue update have broken it? Will keep looking into it.

🤔

So I figured out what the problem is: #Homebrew. Looks like at some point I installed something with brew that installed @python3.11 and @[email protected] – that installed ca-certificates and p11-kit via #brew and those messed up my system trust store. Similar to the issue I had with systemd as it looks like brew installed systemd for something as well.

(Remember, I’m on #FedoraSilverblue – an immutable OS, so I was trying out Brew as an account-level package manager. Turn out, not a great idea.)

Kaffeetrinkr Apr 26, 2023

@aral
This encourages me to stick with my current approach use toolbox for almost everything.

@kaffeetrinkr Yeah, I’ll be sticking to rust and go CLI apps whenever possible (installed via cargo and go) and, if I need to build something myself, toolbox.

Martin Frost Apr 26, 2023

@aral I’m not on Fedora Silverblue (but on another Linux distro), but I’ve since long come to the conclusion that I think brew on Linux does too many things. There’s already a working package manager for system level packages (like ca-certificates etc), and if, or rather when, I want/need to use different Python versions, I find that pyenv works well, especially with the pyenv-virtualenv plugin.

For most other language version shenanigans, I use asdf-vm.

ck Apr 26, 2023

@aral you can try #nix as an account level package manager. Yes, I know, nix is kind of a love or hate it thing, but it will never install anything system wide, everything is contained in the nix store and easy to get rid of if you figure you don't like it.

Sebastian Apr 26, 2023

@aral You aren't using Pop!_OS or ElementaryOs anymore?

Aral Balkan Apr 27, 2023

@svyaene Nope. Either is a fine choice but I’m very much enjoying the stability and predictability of Silverblue and the experience of vanilla GNOME.

@aral Is the package ca-certificates installed and linked to /etc/ssl/certs?

@jan Yep, ca-certificates is installed. Going to look into the configuration now :)

@jan Really odd… comparing the machine where it works with the one where it doesn’t:

- /etc/pki/ca-trust are same on both machines (inc. permissions)

- /etc/ssl/certs/ca-certificates.crt is symlinked to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on both

- On both, following shows the cert has been added correctly: cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | rg Local

However, only on the machine that works does this show the cert: trust list --filter=ca-anchors | rg Local

@aral I think you need to execute update-ca-trust or?

@jan Have done. I wonder if it’s not sticking for some reason. (And, oddly, it _stopped_ working so the CA _was_ trusted before.) Odd.

@jan (And, weirdly, curl has no trouble connecting using it. Neither does Firefox. It’s just Chrome.)

@aral Ah ok then some Chrome issue.

@aral Maybe you can try Chromium.

@jan Yeah, same issue in both. Very odd. But I feel the real issue is with the trust command not returning the cert. Going to look into it further. Thanks for talking it through with me :)

https://mastodon.ar.al/@aral/110265146490051342

@jan In case you don’t see it: the culprit was… *drumroll* Homebrew 👀