The following error was encountered while trying to retrieve the URL: https://www.dfrobot.com/* Failed to establish a secure connection to 49.51.40.62The system returned: (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
ca_root_nss was updated to 3.43 a few days ago. I'm not sure if there's anything included in the direction of what you're missing. It's just that we follow what is in there as per recommendation.
There is an idea around how to also trust the additional certs and CAs added under system: trust, but it still needs to be written.
Beyond automatic and manual we don't want to "fudge" "known" "good" certificate authorities into our installations.
Same error for GeoTrust RSA CA 2018the only way i found to solve the problem was to export the CA from firefox, import it in Trust->Authorities and then restart squid.it should really interesting to have the script mentioned by Sahbi
#!/bin/shcertdir=/usr/local/openssl/certscheckem_ret() { ret=$? cmd="$1" exitval="$2" if [ -z "$cmd" ]; then cmd='<UNKNOWN>'; fi if [ -z "$exitval" ]; then exitval=1; fi if [ $ret -ne 0 ]; then echo "$cmd returned non-zero exit code ($ret), not proceeding" exit $exitval fi}if [ -z "$2" ]; then skripname="$(basename "$0")" echo "Usage: $skripname <URL to PEM/DER-encoded cert file> <target local file>" echo "A hardcoded variable \$certdir is prepended to the local file name, this variable is currently set to: $certdir" echo "Example: $skripname 'https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027' COMODORSADomainValidationSecureServerCA.crt" exit 0ficerturl="$1"lfile="$certdir/$2"if [ ! -d "$certdir" ]; then mkdir "$certdir" checkem_ret mkdir 1fiif [ -f "$lfile" ]; then echo "A local cert with the given name already exists, not proceeding: $lfile" exit 2fi# curl's -k flag ignores any certificate errors (useful for downloading self-signed ones like CAcert)curl -vk -o "$lfile" "$certurl"checkem_ret cURL 3if ! grep -q '^-----BEGIN CERTIFICATE-----' "$lfile"; then echo "Certificate doesn't seem to be PEM/base64 encoded, trying to convert" bitch64=$(openssl x509 -inform DER -in "$lfile") checkem_ret openssl 4 echo "Ayy we good y0" echo "$bitch64" > "$lfile"ficerthash=$(openssl x509 -in "$lfile" -hash -noout)checkem_ret openssl 5echo "---"echo "Certificate hash: $certhash"num=0while [ -e "$certdir/${certhash}.$num" ]; do num=$((num + 1))doneln -vs "$lfile" "$certdir/${certhash}.$num"
./install_cacert.sh https://www.websecurity.symantec.com/content/dam/websitesecurity/support/digicert/geotrust/ica/GeoTrust_RSA_CA_2018.pem GeoTrustRSACA2018.crt
