Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
From: Riccardo Mottola <riccardo.mottola%libero.it@localhost>
Date: Sun, 14 Jun 2026 16:53:53 +0200

Hi Greg,

Greg Troxel wrote:

Now you have two copies of openssl because 9 is old.  9 does not have
OS-installed trust anchors ('root certs').

Ok... if I try to remove openssl, git-base is removed as dependency, soit is needed and we may suppose it is using that one.My bad I didn't test before doing an update of packages... and I didn'texpect pkgin to silently remove half of my installation. Anyway, havingthem added back, things should be sed.


So, the first advice is to update to 10.  9 is ancient - it's been more
than 6 years now, and IMHO nobody should be using it.  It's going to be
formally desupported when 11 is released, more or less (which has been
"soon" for quite a while now :-( ).

Having several laptops, I try to keep some in previous and some incurrent release, if possible, for the sake of testing.I used also to run a laptop on current, but it became a too high burden.I could update that one to test 11RC4 for the sake of test, if there isa smooth way to upgrade to release.

Also 9.4 runs quite well on this ThinkPad... always reluctant to update.I hope I can solve this cert issue before. I could shift the other HP to11RC4 and this to 10.1.

The second bit of advice is to look not only in /etc/openssl but also in
/usr/pkg/etc/openssl.   I am really unclear on the plan of where pkgsrc
looks for config.

For what it's worth, on a NetBSD 9 box I can access (there are only 2),
git works (with a server with an LE cert).


right, so I just discovered that:
/etc/openssl/certs/ is full of certificates, they are dated 2023 though.
/usr/pkg/etc/openssl/certs is empty

2023 dates are a bit incomaptible with mozilla-rootcerts-1.1.20260211

I did an extract and refresh in /etc/openssl/certs as the file itselfsays, now they are up-to-date

But the problem with pkg provided openssl remains.mozilla-rootcerts-openssl seems exactly what I need. I install it but/usr/pkg/etc/openssl/certs/ remains empty

Then I understood that it too modified /etc/openssl/certs

Just for a test, I attempted something "quite dirty":
cp *.* /usr/pkg/etc/openssl/certs/

and now git works. So I am sure it is pkg-openssl looking forcertificates in the wrong directory and/or something should have copiedcertificates there.It would be better not to have copies perhaps, and that both openssl'suse /etc/openssl ? I don't know how it is thought out but it is broken now.

Follow-Ups:
- Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
  - From: Greg Troxel

References:
- unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
  - From: Riccardo Mottola
- Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
  - From: Greg Troxel

Prev by Date: Re: Tweek the PS1 for root
Next by Date: Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
Previous by Thread: Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
Next by Thread: Re: unable to use git with github: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
Indexes:

Home | Main Index | Thread Index | Old Index