Cygwin ca-certificates 1.94-1 problem

There seems to be a problem with version 1.94-1 of the Cygwin ca-certificates package where the files containing the trusted certificates are empty. This results in no HTTPS sites being trusted when using commands such as git, curl, and wget.

From what I can tell, the problem stems from changes that were made in version 1.94-1. In prior versions of ca-certificates, the ca-bundle.crt and ca-bundle.trust.crt files located in the /usr/ssl/certs directory were actual files containing the trusted certificates. In version 1.94-1, I've found these to be links pointing to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem and /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt respectively which are both EMPTY.

The work-around for this issue that I originally posted should no longer be necessary. Instead, upgrading to p11-kit-trust-0.18.7-2 and ca-certificates-1.96-2 should take care of it. A big thanks to Yaakov from Cygwin Ports for getting it fixed and sharing this information on my web site.

Posted in Windows Tagged with:
4 comments on “Cygwin ca-certificates 1.94-1 problem
  1. hati23 says:

    Thanks for posting this…
    took me some time to find the empty files, still don´t understand the complete story behind ssl configuration, but it works now 🙂

    • admin says:

      You’re welcome. I am glad you found it helpful. I don’t fully understand the SSL configuration either.

      I think these files contain “trusted” SSL certificates including those of the most common certificate authorities that issue SSL certificates to others. When a program in the cygwin environment encounters a certificate that is not trusted and did not come from a trusted certificate authority you run into problems. To get around this, you either have to trust the certificate authority or tell cygwin to ignore certificate errors which is less secure.

      My assumption is that there is a way to manually “trust” individual SSL certificates as needed, but I didn’t want to go through this every time I encounter a new SSL certificate.

      When the files referenced in this post are empty, cygwin won’t trust any certificate by default. My workaround was to populate these files with content from a prior version of cygwin.

      There may be a better solution out there, but this worked for me so I don’t currently have a need to look further.

  2. Please don’t do this; old versions of ca-certificates should be considered insecure.

    What we do know so far is that this issue only seems to affect 64-bit Cygwin on Windows 8 (but not 8.1); all other supported platforms (including 32-bit Cygwin on Win8 x64) should work correctly. Further analysis of the problem begins here:

    http://cygwin.com/ml/cygwin/2014-01/msg00331.html

    And I have made generated files available as a temporary workaround for Win8 x64 users per the directions here:

    http://cygwin.com/ml/cygwin/2014-01/msg00333.html

Leave a Reply

Your email address will not be published. Required fields are marked *

*