[clamav-users] freshclam cert problems with new install

fergus mcmenemIE fergus at twig.me.uk
Sun Feb 27 17:12:08 UTC 2022 

> Hi there,
> 
> On Fri, 25 Feb 2022, fergus mcmenemie wrote:
> 
>> Hi - first posting here
> 
> Welcome. :)
> 
>> Brand new install of clamav ...
> Exactly which version, installed from what (package, tarball, ...)?
Version clamav-0.103.5 from a tarball on a Mac running 10.13.6. I build everything
from tarballs. I tried clamav-0.104.2 but I just not get cmake + ncurses to build;
why on earth has ncurses been added to clamav.

With your hints, particularly your "its at your end" I eventually went looking for
exactly where curl (curl-7.81.0) was fetching its authoritative list of roots certs
from. It is a Mac so it could have been coming from the keychain. Running 
   freshclam --verbose --debug 
made it appear curl was accessing a list of root certs from somewhere. However this
was not the case. After discovering 

   curl-config -ca 

it revealed there was no curl default root store. I had to recompile curl with 

   ./configure --with-openssl --without-libssh2 --disable-ldap --disable-ldaps \
   --with-ca-bundle=/usr/local/openssl/certs/cacert.pem

Freshclam then worked a charm. The file cacert.pem was freshly fetched from the internet

>> first thing I ran was "sudo freshclam" which gave the following.
> So I assume it's Linux, but which distribution/version?  They aren't
> all created equal when it come to certificates. :/
> 
>> ...
>> WARNING: Download failed (60) WARNING:  Message: SSL peer certificate or SSH remote key was not OK
>> ...
> 
> This happens only occasionally.  It's most unlikely to be a problem at
> the servers because if it were, this list would quickly go ballistic.

The expired certs was due to confusion from the tooling. I had used the following to investigate my issue

   openssl s_client -connect database.clamav.net:443 -CAfile=/usr/local/packages3/downloads/cacert.pem

which reported the invalid certs. However, while you can normally get away with that,
in this case we I should have used the following to cope with cloudflare weirdness.

   openssl s_client -connect database.clamav.net:443 -CAfile=/usr/local/packages3/downloads/cacert.pem \
                    -servername database.clamav.net

This reported the cert was fine.

Thanks Ged.

More information about the clamav-users mailing list