Self-signed certificate encountered by freshclam

[galyfray]

Describe the bug

Unable to update signature database with freshclam in ClamAV v1.5.1, when certs folder is not the default one.
This issue seems to be linked to #1588

How to reproduce the problem

• change the CVDCertsDirectory to a custom one, move the certs to the new location (so that they are not available at the default location anymore)
• try updating the database using freshclam
• Setting the CVD_CERTS_DIR env variable before updating does prevent/fix the issue

root@locahost:/usr/local/etc# clamconf -n
Checking configuration files in /usr/local/etc

Config file: clamd.conf
-----------------------
DatabaseDirectory = "/var/lib/clamav"
CVDCertsDirectory = "/etc/clamav/certs"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "8388608"
LogTime = "yes"
LogRotate = "yes"
PidFile = "/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
CVDCertsDirectory = "/etc/clamav/certs/"
FIPSCryptoHashLimits = "yes"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "<redacted>"

clamav-milter.conf not found

Software settings
-----------------
Version: 1.5.1
Optional features supported: MEMPOOL AUTOIT_EA06 ICONV RAR

Database information
--------------------
Database directory: /var/lib/clamav
Total number of signatures: 0

Platform information
--------------------
uname: Linux 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Debian GNU/Linux 12 (bookworm)
WARNING: zlib version mismatch: 1.3.1 (1.2.13)
zlib version: 1.3.1 (1.2.13), compile flags: a9
platform id: 0x0a21e7e708000000000a0201

Build information
-----------------
GNU C: 10.2.1 20210110 (10.2.1)
sizeof(void*) = 8
Engine flevel: 231, dconf: 231

Replace this text with the output from the ClamAV command:
clamconf -n

Attachments

The error

Sun Nov  9 13:44:39 2025 -> [LibClamAV] Invalid digital signature for "/var/lib/clamav/tmp.896381a44e/daily.cvd": error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:44:39 2025 -> Error verifying signature signed by ["ClamAV_datafiles_release"]: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:44:39 2025 -> [LibClamAV] Failed to verify "/var/lib/clamav/tmp.896381a44e/daily.cvd" with "/var/lib/clamav/tmp.896381a44e/daily-27817.cvd.sign": Signature is invalid: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:44:39 2025 -> [LibClamAV] Detached CVD signature is invalid: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:44:39 2025 -> WARNING: Sun Nov  9 13:44:39 2025 -> [LibClamAV] cli_cvdload: Can't verify CVD file /var/lib/clamav/tmp.896381a44e/daily.cvd: Error verifying signature: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:VerifSun Nov  9 13:44:39 2025 -> y error: self-signed certificate in certificate chain
Sun Nov  9 13:44:39 2025 -> WARNING: Sun Nov  9 13:44:39 2025 -> [LibClamAV] Can't load /var/lib/clamav/tmp.896381a44e/daily.cvd: Can't verify database integrity
Sun Nov  9 13:44:39 2025 -> ERROR: Sun Nov  9 13:44:39 2025 -> Failed to load new database: Can't verify database integrity

full logs

freshclam --verbose --show-progress  --config-file=/usr/local/etc/freshclam.conf --debug
LibClamAV debug: Adding certificate to verifier store: X509 { serial_number: "0493F2B851C5D5BED1", signature_algorithm: sha512WithRSAEncryption, issuer: [organizationalUnitName = "Arbor", organizationName = "Cisco", commonName = "Cisco Software Identity Root CA RSA 4096 SHA512 2099"], subject: [organizationalUnitName = "Arbor", organizationName = "Cisco", commonName = "Cisco Software Identity Root CA RSA 4096 SHA512 2099"], not_before: Jan 24 18:45:25 2024 GMT, not_after: Jan 24 18:45:25 2099 GMT, public_key: PKey { algorithm: "RSA" } }
LibClamAV debug: Verifier created successfully
Sun Nov  9 13:43:47 2025 -> Current working dir is /var/lib/clamav/
Sun Nov  9 13:43:47 2025 -> Loaded freshclam.dat:
Sun Nov  9 13:43:47 2025 ->   version:    1
Sun Nov  9 13:43:47 2025 ->   uuid:       9f0cc232-b7a2-4c53-84f7-09001ba20038
Sun Nov  9 13:43:47 2025 -> ClamAV update process started at Sun Nov  9 13:43:47 2025
Sun Nov  9 13:43:47 2025 -> Current working dir is /var/lib/clamav/
Sun Nov  9 13:43:47 2025 -> Querying current.cvd.clamav.net
Sun Nov  9 13:43:47 2025 -> TTL: 1800
Sun Nov  9 13:43:47 2025 -> fc_dns_query_update_info: Software version from DNS: 1.0.9
Sun Nov  9 13:43:47 2025 -> Current working dir is /var/lib/clamav/
Sun Nov  9 13:43:47 2025 -> check_for_new_database_version: No local copy of "daily" database.
Sun Nov  9 13:43:47 2025 -> query_remote_database_version: daily.cvd version from DNS: 27817
Sun Nov  9 13:43:47 2025 -> daily database available for download (remote version: 27817)
Sun Nov  9 13:43:47 2025 -> Retrieving https://<redacted>/daily.cvd
Sun Nov  9 13:43:47 2025 -> downloadFile: Download source:      https://<redacted>/daily.cvd
Sun Nov  9 13:43:47 2025 -> downloadFile: Download destination: /var/lib/clamav/tmp.ba3a59c60a/daily.cvd
* Host <redacted>:443 was resolved.
* IPv6: (none)
* IPv4: <redacted>
*   Trying <redacted>:443...
* ALPN: curl offers h2,http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=<redacted>
*  start date: Oct  1 19:19:54 2025 GMT
*  expire date: Dec 30 19:19:53 2025 GMT
*  subjectAltName: host "<redacted>" matched cert's "<redacted>"
*  issuer: C=US; O=Let's Encrypt; CN=E8
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Established connection to <redacted> (<redacted> port 443) from <redacted> port 56424
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://<redacted>/daily.cvd
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: <redacted>]
* [HTTP/2] [1] [:path: /daily.cvd]
* [HTTP/2] [1] [user-agent: ClamAV/1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64, UUID: 9f0cc232-b7a2-4c53-84f7-09001ba20038)]
* [HTTP/2] [1] [accept: */*]
> GET /daily.cvd HTTP/2
Host: <redacted>
User-Agent: ClamAV/1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64, UUID: 9f0cc232-b7a2-4c53-84f7-09001ba20038)
Accept: */*
Connection: close

* Request completely sent off
< HTTP/2 200
< server: nginx/1.22.1
< date: Sun, 09 Nov 2025 13:43:48 GMT
< content-type: application/octet-stream
< content-length: 64738629
< last-modified: Sun, 09 Nov 2025 12:12:10 GMT
< etag: "6910851a-3dbd545"
< accept-ranges: bytes
<
Time:    1.0s, ETA:    0.0s [========================>]   61.74MiB/61.74MiB
* Connection #0 to host <redacted>:443 left intact
Sun Nov  9 13:43:48 2025 -> Retrieving https://<redacted>/daily-27817.cvd.sign
Sun Nov  9 13:43:48 2025 -> downloadFile: Download source:      https://<redacted>/daily-27817.cvd.sign
Sun Nov  9 13:43:48 2025 -> downloadFile: Download destination: /var/lib/clamav/tmp.ba3a59c60a/daily-27817.cvd.sign
* Host <redacted>:443 was resolved.
* IPv6: (none)
* IPv4: <redacted>
*   Trying <redacted>:443...
* ALPN: curl offers h2,http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=<redacted>
*  start date: Oct  1 19:19:54 2025 GMT
*  expire date: Dec 30 19:19:53 2025 GMT
*  subjectAltName: host "<redacted>" matched cert's "<redacted>"
*  issuer: C=US; O=Let's Encrypt; CN=E8
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Established connection to <redacted> (<redacted> port 443) from <redacted> port 59346
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://<redacted>/daily-27817.cvd.sign
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: <redacted>]
* [HTTP/2] [1] [:path: /daily-27817.cvd.sign]
* [HTTP/2] [1] [user-agent: ClamAV/1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64, UUID: 9f0cc232-b7a2-4c53-84f7-09001ba20038)]
* [HTTP/2] [1] [accept: */*]
> GET /daily-27817.cvd.sign HTTP/2
Host: <redacted>
User-Agent: ClamAV/1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64, UUID: 9f0cc232-b7a2-4c53-84f7-09001ba20038)
Accept: */*
Connection: close

* Request completely sent off
< HTTP/2 200
< server: nginx/1.22.1
< date: Sun, 09 Nov 2025 13:43:49 GMT
< content-type: application/octet-stream
< content-length: 9078
< last-modified: Sun, 09 Nov 2025 12:12:11 GMT
< etag: "6910851b-2376"
< accept-ranges: bytes
<
Time:    0.1s, ETA:    0.0s [========================>]    8.87KiB/8.87KiB
* Connection #0 to host <redacted>:443 left intact
Sun Nov  9 13:43:49 2025 -> Downloaded digital signature file: /var/lib/clamav/tmp.ba3a59c60a/daily-27817.cvd.sign
LibClamAV debug: Successfully verified signature signed by: ["ClamAV_datafiles_release"]
LibClamAV debug: Successfully verified "/var/lib/clamav/tmp.ba3a59c60a/daily.cvd" signed by ClamAV_datafiles_release
LibClamAV debug: CVD verified successfully with detached signature file
Sun Nov  9 13:43:49 2025 -> updatedb: Running g_cb_download_complete callback...
Sun Nov  9 13:43:49 2025 -> download_complete_callback: Download complete for database : /var/lib/clamav/tmp.ba3a59c60a/daily.cvd
Sun Nov  9 13:43:49 2025 -> download_complete_callback:   fc_context->bTestDatabases   : 1
Sun Nov  9 13:43:49 2025 -> download_complete_callback:   fc_context->bBytecodeEnabled : 1
Sun Nov  9 13:43:49 2025 -> Testing database: '/var/lib/clamav/tmp.ba3a59c60a/daily.cvd' ...
Sun Nov  9 13:43:49 2025 -> Loading signatures from /var/lib/clamav/tmp.ba3a59c60a/daily.cvd
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Initializing phishcheck module
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Phishcheck module initialized
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Bytecode initialized in interpreter mode
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: clean_cache_init: Caching disabled.
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: clean_cache_init: Cache initialized successfully.
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Verifier created successfully
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: in cli_cvdload()
Sun Nov  9 13:43:49 2025 -> Error verifying signature signed by ["ClamAV_datafiles_release"]: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:43:49 2025 -> [LibClamAV] Invalid digital signature for "/var/lib/clamav/tmp.ba3a59c60a/daily.cvd": error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:43:49 2025 -> [LibClamAV] Failed to verify "/var/lib/clamav/tmp.ba3a59c60a/daily.cvd" with "/var/lib/clamav/tmp.ba3a59c60a/daily-27817.cvd.sign": Signature is invalid: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:43:49 2025 -> [LibClamAV] Detached CVD signature is invalid: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Sun Nov  9 13:43:49 2025 -> WARNING: Sun Nov  9 13:43:49 2025 -> [LibClamAV] cli_cvdload: Can't verify CVD file /var/lib/clamav/tmp.ba3a59c60a/daily.cvd: Error verifying signature: error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:VerifSun Nov  9 13:43:49 2025 -> y error: self-signed certificate in certificate chain
Sun Nov  9 13:43:49 2025 -> WARNING: Sun Nov  9 13:43:49 2025 -> [LibClamAV] Can't load /var/lib/clamav/tmp.ba3a59c60a/daily.cvd: Can't verify database integrity
Sun Nov  9 13:43:49 2025 -> ERROR: Sun Nov  9 13:43:49 2025 -> Failed to load new database: Can't verify database integrity
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Cleaning up phishcheck
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Freeing phishcheck struct
Sun Nov  9 13:43:49 2025 -> LibClamAV debug: Phishcheck cleaned up
WARNING: Sun Nov  9 13:43:49 2025 -> Stderr output from database load : LibClamAV debug: Initialized 1.5.1 engine [...] LibClamAV debug: Phishcheck cleaned up
WARNING: Sun Nov  9 13:43:49 2025 -> Database load exited with "Test failed"
ERROR: Sun Nov  9 13:43:49 2025 -> Database test FAILED.
Sun Nov  9 13:43:49 2025 -> updatedb: callback failed: Test failed (8)
ERROR: Sun Nov  9 13:43:49 2025 -> Unexpected error when attempting to update daily: Test failed
ERROR: Sun Nov  9 13:43:49 2025 -> Database update process failed: Test failed
ERROR: Sun Nov  9 13:43:49 2025 -> Update failed.