Tiny Core Linux

Tiny Core Base => Raspberry Pi => Topic started by: Zephyrus on April 30, 2019, 10:02:29 PM

Title: Amazon Certificate Missing
Post by: Zephyrus on April 30, 2019, 10:02:29 PM
Hi, not sure if this is the right place to report this, but I'm been trying to get the Amazon Systems Manager Agent running on a compute module 1.
Bit of a mess around, but I had authentication problems with the Amazon server, so update my ca-certificates.tcz to the one from the version 10.x repo (this is because the 9.x version has no certs in /etc/ssl) and I also had to manually install an Amazon cert from here https://www.amazontrust.com/repository/. I used the Starfield one only but both that and the other 4 should probably be merged into ca-certificates.tcz

Not sure if this should be posted here, but I couldn't find a dedicated bug tracker.
Title: Re: Amazon Certificate Missing
Post by: Paul_123 on May 01, 2019, 01:54:15 AM
Certs from 10.x will not work with 9.x (and vise versa)

See this link as to how to get the 9.x certs to work with /etc/ssl. http://forum.tinycorelinux.net/index.php/topic,21065.0.html




Title: Re: Amazon Certificate Missing
Post by: Paul_123 on May 01, 2019, 09:12:03 AM
For the record, this is the list of certs that Mozilla distributes, and is what is used to generate the ca-certificates package.
  https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport

What is the site you are trying to reach?
Title: Re: Amazon Certificate Missing
Post by: Zephyrus on May 01, 2019, 06:39:49 PM
Interesting they don't work. I tried copying the SSL certs from where they are in the version 9.x repo to /etc/ssl and that didn't seem to work.
That part may be a red herring and didn't help.

The website was either https://ssm.ap-southeast-2.amazonaws.com/ or https://ssmmessages.ap-southeast-2.amazonaws.com/
I got the error "x509 failed to load system roots and no roots provided" if SFSRootCAG2.pem is not in /etc/ssl/certs and no problems with it there. It does seem to be the same as the one from Mozilla.
 
I used deb2tcz to turn the Debian container of SSM for Raspbian into the TCZ file I needed if you need to test it.
Title: Re: Amazon Certificate Missing
Post by: Paul_123 on May 01, 2019, 08:00:35 PM
the PEM files use a generic name, but the Amazon certs are definitely there in 10.x   but they are signed with the openssl that is in 10.x.   That version wont work with 9.x

For 9.x, Did you try to create the symlink between /etc/ssl -> /usr/local/etc/ssl