pipelight-plugin can't download dependency-installer script

Asked by Ron Widell on 2015-01-02

I'm trying to install pipelight on a Kubuntu 14.04(x86) system per the instructions at http://pipelight.net/cms/install/installation-ubuntu.html

Everything goes well until I get to step4:
sudo pipelight-plugin --update

and this message shows up:
ERROR: cannot verify bitbucket.org's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1’:
  Unable to locally verify the issuer's authority.
To connect to bitbucket.org insecurely, use `--no-check-certificate'.

ERROR: Failed to download latest dependency-installer script

I have both ca-certificates and ca-certificates-java packages installed and can find the following DigiCert files:

~/.local/share/keyrings/DigiCert_High_Assurance_EV_Root_CA.cer
~/.kde/share/apps/RecentDocuments/DigiCert_High_Assurance_EV_Root_CA.crt.desktop
~/.kde/share/apps/RecentDocuments/DigiCert_High_Assurance_EV_Root_CA.pem.desktop
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
/usr/share/purple/ca-certs/DigiCertHighAssuranceCA-3.pem

So, what do I need to do next?
I didn't see anything liek this in the FAQ, so I may be looking in the wrong place, but I'd appreciate any pointers you can provide.

Thanks,
ron

Question information

Language:
English Edit question
Status:
Solved
For:
Pipelight Edit question
Assignee:
No assignee Edit question
Solved by:
Ron Widell
Solved:
2015-01-06
Last query:
2015-01-06
Last reply:
Sebastian Lackner (slackner) said : #1

Normally all that should work out of the box. Does the certificate exist in /etc/ssl/certs/ ?
If not, please try to run:

sudo dpkg-reconfigure ca-certificates

You'll get a list of certificates then which can be enabled/disabled. Make sure to enable the one needed for Bitbucket.
Please report back if it still doesn't work afterwards.

Ron Widell (r-widell) said : #2

I did the dpkg-reconfigure and enabled all.

Here's all of the "Digi" certs in /etc/ssl/certs (they are all symlinks to /usr/share/ca-certificates/mozilla/ files):
lrwxrwxrwx 1 root root 27 Mar 24 2014 399e7759.0 -> DigiCert_Global_Root_CA.pem
lrwxrwxrwx 1 root root 31 Mar 24 2014 69105f4f.0 -> DigiCert_Assured_ID_Root_CA.pem
lrwxrwxrwx 1 root root 38 Mar 24 2014 81b9768f.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
lrwxrwxrwx 1 root root 43 Mar 24 2014 a15b3b6b.0 -> Digital_Signature_Trust_Co._Global_CA_3.pem
lrwxrwxrwx 1 root root 43 Mar 24 2014 c215bc69.0 -> Digital_Signature_Trust_Co._Global_CA_1.pem
lrwxrwxrwx 1 root root 66 Mar 24 2014 DigiCert_Assured_ID_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
lrwxrwxrwx 1 root root 62 Mar 24 2014 DigiCert_Global_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
lrwxrwxrwx 1 root root 73 Mar 24 2014 DigiCert_High_Assurance_EV_Root_CA.pem -> /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
lrwxrwxrwx 1 root root 78 Mar 24 2014 Digital_Signature_Trust_Co._Global_CA_1.pem -> /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
lrwxrwxrwx 1 root root 78 Mar 24 2014 Digital_Signature_Trust_Co._Global_CA_3.pem -> /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt

Still no joy. Same errors.

I did notice that the error references "CN=DigiCert High Assurance EV CA-1", while the most similar cert I could see was "DigiCert_High_Assurance_EV_Root_CA.pem". Could that be the source of my problem?

Thanks,

ron

Ron Widell (r-widell) said : #3

It appears that I'm another victim of Bug #1371201, however...

export SSL_CERT_DIR=/etc/ssl/certs

doesn't help me.

Thanks,

ron

Ron Widell (r-widell) said : #4

I edited /usr/bin/pipelight-plugin (it's a shell script) to add the --no-check-certificate option to the invocation of wget and proceeded from there.

It seems to be working OK so I'm going to mark it as "problem solved", although it's really just a crude work-around.

Thanks,
ron