Author Topic: Only der encoded certificate (*cer/der/crt) is supported (CLOSED)  (Read 1079 times)

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
I have installed peppermint 6. It used to be my rescue disk, which explains the old version. When I launch the MOK to enroll the only key I see there, I get
the above message. Apparently, it is a common problem. There is so much about it on the internet but I don't understand the language. Some guides suggest that I run
some commands but I can't. I can't login until I enroll the right key. Can someone break it down for me? What can I do at this point?

PS. I can't disable Secure boot because there is no such option in my laptop. It was purchased back in 2009-2010.

Appreciate it.
« Last Edit: April 22, 2020, 08:23:19 am by Slim.Fatz »

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2373
  • Karma: 623
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #1 on: April 10, 2020, 08:19:56 am »
Hi ujjwal,

Sorry to ask this, but what is MOK ?? Also, why are you installing Peppermint Six ??  :-\ It is EOL (end of life) and will not be supported any longer. It is safer to install a newer version (e.g. Peppermint 9 or Peppermint Ten).

We also wish that all new forum members who post requests for assistance supply basic information about their computer hardware. To do this, open a terminal and enter this command (you should be able to do this using the live session from your rescue disk if you cannot login to the installed version):

Code: [Select]
inxi -Fz
Copy the output and include it in your next post.

Regards,

-- Slim
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Online VinDSL

  • Administrator
  • Hero
  • *****
  • Posts: 5875
  • Karma: 1140
  • Team Peppermint
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #2 on: April 10, 2020, 11:12:18 am »
Hi ujjwal,

Sorry to ask this, but what is MOK ??

MOK is pure voodoo  :))

When I'm doing a fresh 64bit install (and the hardware supports it) I always invoke UEFI/Secure Boot.

Why? Because I tend to be rather geekish about this. It's the challenge that draws me to it, like a moth to flame.

Really, it's a moving target, and a learning experience, every time I do it. It's not for the faint of heart, nor necessary for most users.

As a matter of fact, prevailing logic dictates that the only reason for "Secure Boot" is to allow Microsoft to have some level of control over bootleg and/or expired winders installs. It doesn't provide security for users, or so 'they' say.

Put another way, signed kernels are of no use to 99.999% of Linux users.

I guess that makes me a .001% user...

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2373
  • Karma: 623
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #3 on: April 10, 2020, 11:26:43 am »
 ??? OOooph ... I think I'm going to barf ...  :-X
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #4 on: April 12, 2020, 08:23:13 am »
Here is the output to inxi-fz

System:
  Host: manjaro Kernel: 5.2.11-1-MANJARO x86_64 bits: 64 {I am on manjaro live until I login to Peppermint on /dev/sda}
  Desktop: Xfce 4.14.1 Distro: Manjaro Linux
Machine:
  Type: Laptop System: Hewlett-Packard product: Compaq 620 v: F.20
  serial: <filter>
  Mobo: Hewlett-Packard model: 1526 v: KBC Version 71.0E serial: <filter>
  UEFI: Hewlett-Packard v: 68PVI Ver. F.20 date: 12/12/2011
CPU:
  Topology: Dual Core model: Intel Core2 Duo T6570 bits: 64 type: MCP
  L2 cache: 2048 KiB
  Speed: 1197 MHz min/max: 1200/2101 MHz Core speeds (MHz): 1: 1211 2: 1198
Graphics:
  Device-1: Intel Mobile 4 Series Integrated Graphics driver: i915 v: kernel
  Display: x11 server: X.Org 1.20.5 driver: intel unloaded: modesetting
  tty: N/A
  OpenGL: renderer: Mesa DRI Mobile Intel GM45 Express v: 2.1 Mesa 19.1.5
Audio:
  Device-1: Intel 82801I HD Audio driver: snd_hda_intel
  Sound Server: ALSA v: k5.2.11-1-MANJARO
Network:
  Device-1: Realtek RTL810xE PCI Express Fast Ethernet driver: r8169
  IF: ens5 state: down mac: <filter>
  IF-ID-1: enp0s29f7u5 state: unknown speed: N/A duplex: N/A mac: <filter>
Drives:
  Local Storage: total: 299.95 GiB used: 14.06 GiB (4.7%)
  ID-1: /dev/sda vendor: Hitachi model: HTS545032B9A300 size: 298.09 GiB
  ID-2: /dev/sdb type: USB model: SMI USB size: 1.86 GiB
Partition:
  ID-1: / size: 2.14 GiB used: 125.6 MiB (5.7%) fs: overlay source: ERR-102
Sensors:
  System Temperatures: cpu: 59.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 179 Uptime: 10m Memory: 2.86 GiB used: 1001.6 MiB (34.2%)
  Shell: bash inxi: 3.0.36

@Slim.Fatz

MOK is exactly what VinDSL has indicated. I used to have Peppermint 6 as a rescue disk. I have it on my desktop too. When I fked up my Manjaro installation (irresponsible use of su), I decided to installed Peppermint here too, because I liked its performance on my dekstop.

For a newer version, I would have to download it. I do not have access to unlimited internet so I installed from my old rescue USB.

@VinDSL

Unfortunately, my BIOS menu does not have secureboot, so I can not disable it.

What can I do now to enroll the right key?

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #5 on: April 13, 2020, 06:29:21 am »
Update-

Turns out secure boot is not enabled by default. Here is the output from bootctl --status.

Couldn't find EFI system partition. It is recommended to mount it to /boot or /efi.
Alternatively, use --esp-path= to specify path to mount point.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: user

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
          ESP: n/a
         File: └─n/a

Boot Loaders Listed in EFI Variables:
        Title: peppermint
           ID: 0x0006
       Status: active
    Partition: /dev/disk/by-partuuid/b307ae08-5d16-489a-bca2-cc095ecd05ae
         File: └─/EFI/peppermint/shimx64.efi

But I still have the same issue. My guess now is that there is no boot64.efi file in the esp. There are shim64.efi, grub64.efi, and mmx64.efi. I think I might have to rename one of these files to boot64.efi.
Does anyone have any idea here?

Online VinDSL

  • Administrator
  • Hero
  • *****
  • Posts: 5875
  • Karma: 1140
  • Team Peppermint
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #6 on: April 13, 2020, 10:40:24 am »
@VinDSL

Unfortunately, my BIOS menu does not have secureboot, so I can not disable it.

What can I do now to enroll the right key?

Heh!  Once again, it's voodoo. In my experience, there are no quick answer and easy answer(s).

I will say, there are two basic constants at play here... pre-install and post-install; and, they both need to be handled differently. Either way, however, one will usually be faced with an avalanche of problems. One just needs to keep shoveling, until they hit paydirt. Mostly, it's pure luck, finding the right combination.

[ Poor analogy coming up ]  Since we're talking about "keys"... It's akin to picking a lock   ;D

Personally, I've never had the same solution work twice. There are too many viables at play, from machine-to-machine.

Rod has got a pretty good write-up, over here (albeit #TLDR):  https://is.gd/PJQkdF

You might be able to pick up a few tips n' tricks, by reading between the lines.

If nothing else, it demonstrates the complexity of the situation, at hand...
« Last Edit: April 13, 2020, 03:33:30 pm by VinDSL »

Offline cavy

  • Trusted User
  • Member
  • *****
  • Posts: 477
  • Karma: 97
  • Caveman
    • View Profile
  • Peppermint version(s): Peppermint Ten
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #7 on: April 13, 2020, 03:27:44 pm »
Hi ujjwal,

A DER file simply is the Linux signed entry placed in your SecureBoot device, when installing in UEFI and SecureBoot mode.

Looking at your inxi printout, you are using a Manjaro live media for your example. Please note Manjaro will not install nor boot up on a SecureBoot enabled system. It gives the following message "Operating System Loader has no signature. Incompatible with SecureBoot".

UEFI was in the experimental stage when your laptop was manufactured, before it came prime time circa 2011-12, followed by SecureBoot soon after with 3rd generation intel based computers. I've had several machines from that era and the UEFI capsule were very fragile and prone to become corrupted. Have you considered formatting your disk with MSDOS, to install in Legacy mode.?

Below is the output, of a dual-boot desktop with Windies 10 and PM10 installed in GPT, UEFI, SecureBoot with the use of MOK (Machine Owners Key). All UUID's and key codes are XXed out for security purposes.

Spoiler (click here to view / hide)
[close]

I have three computers which are installed with in UEFI and SecureBoot, two work flawlessly, one is bricked. Due to resetting or deleting DER files being HIT or MISS.   :o

Regards cavy   ;)
« Last Edit: April 13, 2020, 03:40:51 pm by cavy »
“We know what we are, but not what we may be.”

Various machines to sample the delights of Linux

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #8 on: April 21, 2020, 11:01:20 am »
Since I need GPT (for more than 4 partitions), I preferred efi. I went ahead an downloaded Bodhi Linux (due its small iso size) . It managed to install just fine, surprisingly, even though both are based on Ubuntu. Here is my boot ctl output-

Spoiler (click here to view / hide)
[close]

Perhaps, the issue was an older version of Peppermint iso. Perhaps, I do not have unlimited internet to try it on live usb. I am just reporting my last remarks.

Offline cavy

  • Trusted User
  • Member
  • *****
  • Posts: 477
  • Karma: 97
  • Caveman
    • View Profile
  • Peppermint version(s): Peppermint Ten
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #9 on: April 22, 2020, 03:17:57 am »
Hi ujjwal,

FYI    ;)

GPT (UEFI) supports up to 128 primary partitions and disk larger than 3TB

MSDOS (MBR) supports four primary partition and disks up to 2TB.

The use of an extend partition (for MSDOS) is able support 64 logical partitions. It is argued the modern kernel may be able to support more.

A viable theme could be x1 primary /boot and x1 extended partitions. With up to 64 logical partitions.

The most I ever installed was "eight" distros using this method. But with a primary /boot, extended and /home partition for communal storage.

Alas maintaining x8 distros on one machine proved too much of a chore.

regards cavy.   :D

Edit, add comment below and correct typos

Should this topic be resolved, please mark as [Solved] or [Closed], thank you.
« Last Edit: April 22, 2020, 04:42:34 am by cavy »
“We know what we are, but not what we may be.”

Various machines to sample the delights of Linux

Offline spence

  • Administrator
  • Hero
  • *****
  • Posts: 2973
  • Karma: 337
  • peppermint user since 2010
    • View Profile
  • Peppermint version(s): PMVII, PMVIII, PMIX, PMX Respins
Re: Only der encoded certificate (*cer/der/crt) is supported
« Reply #10 on: April 22, 2020, 05:44:32 pm »
Perhaps, the issue was an older version of Peppermint iso. Perhaps, I do not have unlimited internet to try it on live usb. I am just reporting my last remarks.

FWIW, Working in the LiveUSB doesn't in any way imply you need to be online the whole time you are working within the LiveUSB environment.

 ;)
spence
PeppermintOS 8,9 & 10 Respins currently installed  on:
'16 Antec Aria rebuild
PMX Respin on '18 Asus VivoBook


Do not despair, grasshopper...
    with patience all will be revealed...
       Through pain, enlightenment will come.

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
Re: Only der encoded certificate (*cer/der/crt) is supported (CLOSED)
« Reply #11 on: April 24, 2020, 11:04:02 am »
I mean I do not have unlimited internet to download Peppermint 10's iso because it is more than 1GB. It might have installed fine but I simply can't try it

Offline spence

  • Administrator
  • Hero
  • *****
  • Posts: 2973
  • Karma: 337
  • peppermint user since 2010
    • View Profile
  • Peppermint version(s): PMVII, PMVIII, PMIX, PMX Respins
Re: Only der encoded certificate (*cer/der/crt) is supported (CLOSED)
« Reply #12 on: April 24, 2020, 12:48:07 pm »
I mean I do not have unlimited internet to download Peppermint 10's iso because it is more than 1GB. It might have installed fine but I simply can't try it

Torrents download much more quickly, have you tried that?


https://peppermintos.com/guide/downloading/

Click there, then scroll down to the torrent links for 64 bit

 ;)
« Last Edit: April 24, 2020, 12:55:26 pm by spence »
spence
PeppermintOS 8,9 & 10 Respins currently installed  on:
'16 Antec Aria rebuild
PMX Respin on '18 Asus VivoBook


Do not despair, grasshopper...
    with patience all will be revealed...
       Through pain, enlightenment will come.

Offline ujjwal

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 3
  • New To PeppermintOS
    • View Profile
  • Peppermint version(s): 6
Re: Only der encoded certificate (*cer/der/crt) is supported (CLOSED)
« Reply #13 on: May 11, 2020, 03:54:06 am »
The problem is not download speed. It is how much I can download.