[clamav-users] New installation 103.3; failing freshclam
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Jun 23 22:53:12 UTC 2021
Haha love the [shudder]...
So I *think* I would blame whichever OpenSSL version is linked with ClamAV when you built it for looking in the wrong directory. If this is really the issue, you should be able to work around it by setting a CURL_CA_BUNDLE environment variable to point at your CA directory before running freshclam.
In tracking down the right variable name, I realized that we forgot to document CURL_CA_BUNDLE when we added this capability (v0.103). I'll create a GitHub Issue now as a reminder to fix add it to the documentation, or in case someone else wants to work on it.
-Micah
> -----Original Message-----
> From: Paul Rogers <paulgrogers at fastmail.fm>
> Sent: Wednesday, June 23, 2021 1:15 PM
> To: Micah Snyder (micasnyd) <micasnyd at cisco.com>; ClamAV users ML
> <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] New installation 103.3; failing freshclam
>
> Thanks for responding.
>
> On Wed, Jun 23, 2021, at 12:35 PM, Micah Snyder (micasnyd) wrote:
> > This specific error comes from the libcurl library. I imagine we could
> > detect the associated error code and supplement the message with more
>
> Agreed, at least point the finger at the responsible package, libcurl.
>
> > actionable advice. If anyone is up for figuring that out, a PR would
> > be welcome.
> >
> > How you fix this problem is going to vary depending on what OS you're
>
> A homemade LFS. Actually two stable, production systems, one 32-bit LFS-7.7,
> and a 64-bit LFS-8.1.
> openssl-1.0.2l & 1.1.0f
> curl-7.4.0 & 7.55.1
> gnutls-3.3.12 & 3.5.14
> clamav-0.99.2 & 0.103.3
>
> The first has an LFS derived certificate download/update script, the second
> make-ca-0.7.
>
> > on.
> > - Mac & Windows installations will use the macOS Keychain or Windows
> > Certificate Store (the same one used by Edge or Firefox).
>
> [shudder]
>
> > - Linux and other Unix installations use the openssl certificate
> > directory. By default that is probably in /etc/ssl/certs or
>
> Correct.
>
> > /etc/pki/tls/certs but may vary by distribution. Having the
>
> Only anchors there.
>
> > ca-certificates package (ubuntu) or equivalent is usually sufficient.
>
> So is somebody not looking in the right place? How can I discover and fix that?
>
> >
> > Sometimes TLS validation also fails if the CA certs are fine but the
> > system time is incorrect.
>
> Just reset last evening w/ ntp.
>
> >
> > -Micah
>
> TIA
>
> --
> Paul Rogers
> paulgrogers at fastmail.fm
> Rogers' Second Law: "Everything you do communicates."
> (I do not personally endorse any additions after this line. TANSTAAFL :-)
More information about the clamav-users
mailing list