Re: [clamav-users] freshclam cert problems with new install

Sun, 27 Feb 2022 09:12:47 -0800 

> Hi there,
> 
> On Fri, 25 Feb 2022, fergus mcmenemie wrote:
> 
>> Hi - first posting here
> 
> Welcome. :)
> 
>> Brand new install of clamav ...
> Exactly which version, installed from what (package, tarball, ...)?
Version clamav-0.103.5 from a tarball on a Mac running 10.13.6. I build 
everything
from tarballs. I tried clamav-0.104.2 but I just not get cmake + ncurses to 
build;
why on earth has ncurses been added to clamav.

With your hints, particularly your "its at your end" I eventually went looking 
for
exactly where curl (curl-7.81.0) was fetching its authoritative list of roots 
certs
from. It is a Mac so it could have been coming from the keychain. Running 
   freshclam --verbose --debug 
made it appear curl was accessing a list of root certs from somewhere. However 
this
was not the case. After discovering 

   curl-config -ca 

it revealed there was no curl default root store. I had to recompile curl with 

   ./configure --with-openssl --without-libssh2 --disable-ldap --disable-ldaps \
   --with-ca-bundle=/usr/local/openssl/certs/cacert.pem

Freshclam then worked a charm. The file cacert.pem was freshly fetched from the 
internet

>> first thing I ran was "sudo freshclam" which gave the following.
> So I assume it's Linux, but which distribution/version?  They aren't
> all created equal when it come to certificates. :/
> 
>> ...
>> WARNING: Download failed (60) WARNING:  Message: SSL peer certificate or SSH 
>> remote key was not OK
>> ...
> 
> This happens only occasionally.  It's most unlikely to be a problem at
> the servers because if it were, this list would quickly go ballistic.

The expired certs was due to confusion from the tooling. I had used the 
following to investigate my issue

   openssl s_client -connect database.clamav.net:443 
-CAfile=/usr/local/packages3/downloads/cacert.pem

which reported the invalid certs. However, while you can normally get away with 
that,
in this case we I should have used the following to cope with cloudflare 
weirdness.

   openssl s_client -connect database.clamav.net:443 
-CAfile=/usr/local/packages3/downloads/cacert.pem \
                    -servername database.clamav.net

This reported the cert was fine.

Thanks Ged.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to