Api.turris.cz SSL certificate is invalid

There is a problem with the SSL certificate offered by https://api.turris.cz:443/. Compared to https://repo.turris.cz/ which is issued by Lets Encrypt, it seems to use a certificate issued by an unknown Certificate Authority.

$ wget https://api.turris.cz/
–2017-08-19 14:40:07-- https://api.turris.cz/
Resolving api.turris.cz…, 2001:1488:ac15:ff80::101
Connecting to api.turris.cz||:443… connected.
ERROR: cannot verify api.turris.cz’s certificate, issued by ‘emailAddress=michal.vaner@nic.cz,CN=Turris Emergency CA,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ’:
Unable to locally verify the issuer’s authority.
To connect to api.turris.cz insecurely, use `–no-check-certificate’.

The main concern with this is that the Turris updater connects to api.turris.cz to retrieve info on new packages. If the updater is using insecure (unverified) connections, it’s potentially open to MITM attack.

You should study a certificate info. :wink:

Edit: just small addition: /etc/ssl/updater.pem

I have that file. I has a completely different cert in it signed by GeoTrust:
$ openssl x509 -in /etc/ssl/updater.pem -text -noout
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA

I can’t replace that file because api.turris.cz is only offering it’s own cert. It does not supply the cert chain. For example:
$ openssl s_client -host api.turris.cz -port 443 -prexit -showcerts
…cert details…
Verify return code: 21 (unable to verify the first certificate)

So I don’t seem to be able to establish a secure connection, nor can I update my local cert store.

Copy that file, open it with text editor, drop first certificate and try again.

Edit: Also /etc/ssl isn’t standard ssl certificate path so you have to specify it explicitly.