DoD Certs not valid anymore?

[tfrum]

It seems something has changed with websites that require DoD certs, which this repo used to fix access to. For example, armyignited.army.mil now returns an SSL handshake failure. It's not obvious how to fix this, given the DoD certificates provided by militarycac don't work anymore, either. Having a CaC inserted seems to work for other websites and for regular logins on sites that don't require DoD certificates to be installed.

[jdjaxon]

I don't believe it's the DoD certs. I think it is the cackey library. I am about to transition the script to OpenSC when I have time. If you would like to test it, you can run the following:

sudo apt purge cackey
sudo apt install opensc
pkcs11-register

The pkcs11-register command might take a couple of seconds.

After this, restart your browsers and attempt to log in. If that doesn't work, try clearing the cache, rebooting, and/or using a different browser (that browser will need to have been installed before you originally ran the script and the above commands).

Please let me know if this works for you or if you have any other issues.

[oparashar]

Having similar issues - pscs_scan is seeing CAC, but none of the browsers installed are seeing any valid certs. Tried a few different things, including re-running the main scrip and then the commands listed above, but not seeing any change.

[dist0rt3d]

I don't believe it's the DoD certs. I think it is the cackey library. I am about to transition the script to OpenSC when I have time. If you would like to test it, you can run the following:

sudo apt purge cackey
sudo apt install opensc
pkcs11-register

The pkcs11-register command might take a couple of seconds.

After this, restart your browsers and attempt to log in. If that doesn't work, try clearing the cache, rebooting, and/or using a different browser (that browser will need to have been installed before you originally ran the script and the above commands).

Please let me know if this works for you or if you have any other issues.

For what it's worth. I tried this today and it worked for me using Firefox on Mint 21.3. The installation script didn't detect Chrome (installed via Flatpak), but put the certs for Chrome in the Edge directory (also installed via Flatpak).

[jseagrave21]

I don't believe it's the DoD certs. I think it is the cackey library. I am about to transition the script to OpenSC when I have time. If you would like to test it, you can run the following:

sudo apt purge cackey
sudo apt install opensc
pkcs11-register

The pkcs11-register command might take a couple of seconds. After this, restart your browsers and attempt to log in. If that doesn't work, try clearing the cache, rebooting, and/or using a different browser (that browser will need to have been installed before you originally ran the script and the above commands). Please let me know if this works for you or if you have any other issues.

For what it's worth. I tried this today and it worked for me using Firefox on Mint 21.3. The installation script didn't detect Chrome (installed via Flatpak), but put the certs for Chrome in the Edge directory (also installed via Flatpak).

I was able to finally get my CAC reader to work on Mint 21.3 using this installation and then switch to opensc. Of note, I had used other installation instructions which relied on coolkey and I had to completely remove coolkey to be able to authenticate.

Normal installation detected Chrome and Firefox. I downloaded and installed Chrome directly from my browser and did not use Flatpak.

@jdjaxon Great tool. Thanks!

[DMerch]

I was having the same problem with ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS error codes. I ran the 3 commands above (apt purge cackey, apt install opensc, pcks11-register), rebooted, and then everything worked after that point. It is also working under 24.04 LTS.