On Opensuse tumbleweed the following persistent error
Download error (curl) for ‘https://brave-browser-rpm-release.s3.brave.com/x86_64/repodata/repomd.xml’:
Error Code: Loop Error 60
Error message: SSL certificate problem: Unable to get local issuer certificate
Is this due to the passage of certificates in 4096 bits recently?
This error is blocking for updates.
Hello there @sylvainM please accept my apologies for this issue. Could you please try installing the update from our release channel?
@Kevin_cc
yes it’s already done since that’s how I installed Brave.
zypper up
returns among other things
Repository ‘Brave Browser’ is invalid.
[brave-browser|https://brave-browser-rpm-release.s3.brave.com/x86_64] Valid metadata not found at specified URL
History:
It’s blocking.
I know that the certificates have recently changed to 4096 bits, is this related?
Probably not?
$ openssl s_client -connect brave-browser-rpm-release.s3.brave.com:443 2>/dev/null | fgrep bit
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
Server Temp Key: X25519, 253 bits
Server public key is 2048 bit
Not totally sure what curl is complaining about here, but my first guess would be that it can’t verify the site’s certificate chain; and in most cases, when dealing with public CAs, this is some kind of an issue with the local certificate store.
Does curl work properly when fetching other random public sites?
@JimB1
Yes all other repositories are working again except Brave and vsc.
This link is from an Opensuse forum post
New 4096 bit RSA signing key for Tumbleweed
23. Jan 2023 | Marcus Meissner | CC-BY-SA-3.0
RPM and repository signing key of Tumbleweed
Almost certainly they are talking about the GPG key used to sign the distro packages hosted in their own repository.
@JimB1
It’s possible, it’s a clue.
The problem with the Brave repository is not solved.
The error is still the same as I write to you.
No update possible.
Well of course, nothing has been changed so I would expect the behavior to continue.
On that same system what happens if you browse (with Brave, Chrome, or Chromium) to the same https://brave-browser-rpm-release.s3.brave.com/x86_64/repodata/repomd.xml URL?
And if you also have Firefox on that system, what happens with the same URL in that browser?
You can also try this: https://www.nixcraft.com/t/error-message-ssl-certificate-problem-unable-to-get-local-issuer-certificate-on-opensuse/3998
The error at this address with both browsers is:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
I notice that the ckecksum is in sha256 while the signatures are in 4096 bits since January 23, 2023.
The solution from the link works and there was just an update from Brave.
Thanks.
Unfortunately this error returns after a restart of the machine.
The only way to solve is to enter the command again:
update-ca-certificates for the refresh to consider the Brave repository for updates.
I put the command in my crontab on startup.
Please try installing the Beta or Nightly version of Brave to see if the issue persists on those versions.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.