little offtopic: we have currently with on one of our domains (same server) the
same issue, domain a perfectly and domain 2 fails with this message, repeat it,
both domains are on the same server!
both certs are identically created from Let's encrypt.
kind greetings
Newcomer01
Von / From: Paul Smith* Via Clamav-Users
<mailto:[email protected]>
An / To: Newcomer01 <mailto:[email protected]>
CC / CC: Paul Smith* <mailto:[email protected]>
Gesendet / Sent: Freitag, Oktober 10, 2025 um 15:56 (at 03:56 PM) +0200
Betreff / Subject: Re: [clamav-users] Freshclam certificate verification
failing on Windows
On 10/10/2025 14:20, Val Snyder (micasnyd) via clamav-users wrote:
The certs directory in 1.5.0 only has the root certificate for verifying ClamAV
signature database (.cvd and .cdiff) digital signatures.
Perhaps we could add the "GTS Root R4" root certificate if that is needed?
I saw an issue with freshclam SSL certificate checks failing on just one of our
WIndows devices, an ARM64 Windows 11 device. I haven't seen it fail elsewhere,
but perhaps some other software, like an openssl installation, added the
certificate in advance of our testing.
On my PC it works, because the GTS Root R4 certificate is in the store. Some
others are failing. I tried with a fresh (but fully updated) Windows 11 for
problem solving, and that failed, because the root certificate is missing. I'm
not sure what added the root cert to my PC. I have the OpenSSL toolkit
installed as well as lots of other 'techie' software, so it could have been
anything.
(It's possible that Windows updates its root certificates some other way than
via the normal update process, but I can't see anything)
This is an extract from the output of 'freshclam -v' on the fresh Win11 install:
--------------------
downloadFile: Download destination:
.\clamav-b0e33f8c3dd63515c24f229911cd129d.tmp
* Host database.clamav.net:443 was resolved.
* IPv6: (none)
* IPv4: 104.18.203.90, 104.17.196.15
* Trying 104.18.203.90:443...
Certificate loaded from Windows certificate store: Microsoft Root Certificate
Authority
Certificate loaded from Windows certificate store: Thawte Timestamping CA
Certificate loaded from Windows certificate store: Microsoft Root Authority
Certificate loaded from Windows certificate store: Symantec Enterprise Mobile
Root for Microsoft
Certificate loaded from Windows certificate store: Microsoft Root Certificate
Authority 2011
Certificate loaded from Windows certificate store: Microsoft Authenticode(tm)
Root
Certificate loaded from Windows certificate store: Microsoft Root Certificate
Authority 2010
Certificate loaded from Windows certificate store: Microsoft ECC TS Root
Certificate Authority 2018
Certificate loaded from Windows certificate store: Microsoft Timestamp Root
Certificate loaded from Windows certificate store: VeriSign Time Stamping CA
Certificate loaded from Windows certificate store: Microsoft ECC Product Root
Certificate Authority 2018
Certificate loaded from Windows certificate store: Microsoft Time Stamp Root
Certificate Authority 2014
Certificate loaded from Windows certificate store: DigiCert Global Root G2
Certificate loaded from Windows certificate store: DigiCert Baltimore Root
Certificate loaded from Windows certificate store: Sectigo (AAA)
Certificate loaded from Windows certificate store: ISRG Root X1
Certificate loaded from Windows certificate store: DigiCert
Certificate loaded from Windows certificate store: DigiCert Global Root G3
Certificate loaded from Windows certificate store: VeriSign Class 3 Public
Primary CA
Certificate loaded from Windows certificate store: Sectigo
* ALPN: curl offers h2,http/1.1
* SSL certificate problem: unable to get local issuer certificate
---------------------------
On my PC, the GTS Root R4 is there (as well as many more), eg:
Certificate loaded from Windows certificate store: Go Daddy Root Certificate
Authority û G2
Certificate loaded from Windows certificate store: SECOM Trust Systems CO LTD
Certificate loaded from Windows certificate store: VeriSign Universal Root
Certification Authority
Certificate loaded from Windows certificate store: Atos TrustedRoot 2011
Certificate loaded from Windows certificate store: Sectigo
Certificate loaded from Windows certificate store: GTS Root R4
Certificate loaded from Windows certificate store: Go Daddy Class 2
Certification Authority
Certificate loaded from Windows certificate store: Entrust Root Certification
Authority - EC1
Certificate loaded from Windows certificate store: GlobalSign ECC Root CA - R5
Paul
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
