Dear all,
Thanks for all the help and info.
I ended up doing a trace of what our custom clamav does at boot time:
90272 open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = -1 ENOENT (No such file or directory)
90272 close(4) = 0
90272 write(1, "* ERROR: Download failed (77)", 30) = 30
90272 write(1, "* ERROR: Message: Problem with the SSL CA cert (path? access rights?)\n", 71) = 71
That path is apparently hardcoded in the custom binary we use:
mail: # strings cgpclamav | grep ca bundle
/etc/pki/tls/certs/ca-bundle.crt
As far as I can see that is the path used on RHEL (and derivatives like CentOS). Since I didn't find a location to overwrite that path, I made a symlink from /etc/pki/tls/certs/ca-bundle.crt
to /etc/ssl/certs/ca-certificates.crt, where the certificates on Debian are located (provided there by the ca-certificates package).
Now the database updates work again.
Thanks for point me in the right direction!
Regards,
Jona
From:
clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of "Micah Snyder (micasnyd) via clamav-users" <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Tuesday, 17 August 2021 at 18:07
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: "Micah Snyder (micasnyd)" <micasnyd@cisco.com>
Subject: Re: [clamav-users] database updates blocked
Resent-From: <jona@mail.tnt.be>
Resent-Date: Tuesday, 17 August 2021 at 18:07
If you're running into the CA cert problem with FreshClam because your CA certificate bundle is in a non-standard place, you can also set the CURL_CA_BUNDLE environment
to point to the file holding one or more certificates. FreshClam and ClamSubmit will check that environment variable and use it instead of the default openssl CA path.
My apologies that this isn't in the documentation (yet). I will add it today.
https://github.com/Cisco-Talos/clamav/issues/175