Re: do_populate_cve_db CERTIFICATE_VERIFY_FAILED


Darcy Watkins
 

In case anyone else is affected by this…

 

  1. I tried building inside a Docker container based on Ubuntu 20.04 (and the buildtools removed) and the CVE database was populated properly (and CVE reports generated, etc).
  2. It failed during my first attempt, but that was because the buildtools were still present in the workspace.

 

From this, I conclude that using older OS like CentOS with buildtools, though it may be OK for more basic Yocto builds, it has issues when you attempt to make use of the meta-security layer.  I believe that the problem is related to the certificate validation tools of buildtool’s host python replacement used to run bitbake, etc.

 

So I suggest that if affected and if you need to continue using the older OS as your build host’s OS, use a Docker container such as that documented at CROPs.

 

 

 

Regards,

 

Darcy

 

Darcy Watkins ::  Senior Staff Engineer, Firmware

 

SIERRA WIRELESS

Direct  +1 604 233 7989   ::  Fax  +1 604 231 1109  ::  Main  +1 604 231 1100

13811 Wireless Way  :: Richmond, BC Canada V6V 3A4

[M4]

dwatkins@... :: www.sierrawireless.com

 

From: <yocto@...> on behalf of "Darcy Watkins via lists.yoctoproject.org" <dwatkins=sierrawireless.com@...>
Reply-To: Darcy Watkins <dwatkins@...>
Date: Wednesday, March 17, 2021 at 9:45 AM
To: "yocto@..." <yocto@...>
Subject: [yocto] do_populate_cve_db CERTIFICATE_VERIFY_FAILED

 

Hi,

 

Anyone else encounter this?

 

WARNING: cve-update-db-native-1.0-r0 do_populate_cve_db: Failed to fetch CVE data ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108))

 

I am not sure how to resolve this.  After googling on the subject, I found nothing really helpful.  Most hits suggest that the certificates are out of date.  I tried various suggested ways to resolve it, but nothing works.

 

Furthermore, as I dig into this, it becomes apparent that this could be confused by the different python3 that are on the system.  ‘which python3’ points to a python3 that is in the buildtools.  So I have a python3 from my CentOS 7 distro, there appears to be one as part of the buildtools (needed when you use CentOS).  Then there is python3-native and finally the python3 that is built for the target.

 

I suspect that this may be related to the python3 in the buildtools.  Anyone using a newer distro not requiring buildtools may not be affected.

 

I am using CentOS7, Yocto ‘dunfell’ (including the buildtools) and building for an NXP Layerscape target.  This particular build adds meta-security and the meta-security-isafw sub-layer (along with prerequisites).

 

 

Regards,

 

Darcy

 

Darcy Watkins ::  Senior Staff Engineer, Firmware

 

SIERRA WIRELESS

Direct  +1 604 233 7989   ::  Fax  +1 604 231 1109  ::  Main  +1 604 231 1100

13811 Wireless Way  :: Richmond, BC Canada V6V 3A4

[M4]

dwatkins@... :: www.sierrawireless.com

Join yocto@lists.yoctoproject.org to automatically receive all group messages.