Certificate for api.turris.cz

After some time I checked the error logs on TO and found repeating errors:

2018-10-23T10:00:01+02:00 2018-10-23T08:00:01+02:00 omnia user err server_uplink[]: Failed to download contract status
2018-10-23T10:01:05+02:00 2018-10-23T08:01:05+02:00 omnia user err server_uplink[]: Failed to get registration code
2018-10-23T10:02:09+02:00 2018-10-23T08:02:09+02:00 omnia user err turris-firewall-rules[]: (v63) Failed to download https://api.turris.cz/firewall/turris-ipsets.gz.sign

When I tried to download the file using wget I get an error message “Unable to locally verify the issuer’s authority.”

root@omnia:/mnt/ssd/omnia-var/logs/errors/2018/10# wget https://api.turris.cz/firewall/turris-ipsets.gz.sign
--2018-10-23 10:46:23--  https://api.turris.cz/firewall/turris-ipsets.gz.sign
Resolving api.turris.cz..., 2001:1488:ac15:ff80::101
Connecting to api.turris.cz||:443... connected.
ERROR: cannot verify api.turris.cz's certificate, issued by 'emailAddress=michal.vaner@nic.cz,CN=Turris Emergency CA,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ':
  Unable to locally verify the issuer's authority.
To connect to api.turris.cz insecurely, use `--no-check-certificate'.

It looks like the issuer certificate (issuer=/C=CZ/ST=Czech republic/L=Prague/O=CZ.NIC/OU=Labs/CN=Turris Emergency CA/emailAddress=michal.vaner@nic.cz) is not trusted on TO. I can add it but shouldn’t it be there coming as part of TurrisOS?

1 Like

Turris team,

any suggestions about these errors? They are in the logs even after 3.11 upgrade. When I try to run e.g. the script for generation registration code manually it works fine but I can see the error above in the logs every hour.

The certificate is not automatically trusted. Its trust is explicitly listed when required. You can found correct certificate in /etc/ssl.

thx - I discovered that the path to cert is used directly in the scripts. E.g. the script updating the registration code works fine when I run it manually however how to explain the errors in log (run through cron)? See the screenshot below for log entries with warning or higher log level.