Re: netbsd 9.3 upgrade to 10.0

[Havard Eidnes <he%NetBSD.org@localhost>]

> I upgraded netbsd 9.3 to 10.0 in the production environment,
> and after completing the upgrade, I changed the
> repositories. conf of pkgin to 10.0 in the source. The pkgin
> update error is as follows:
>
> # pkgin  update
>
> processing remote summary (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All)...
>
> 122825853433856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:

What is failing is the x509 certificate validation for
http-over-TLS, probably because openssl can't find the
corresponding root certificate.

I'm not sure how you updated, but "etcupdate -s etc.tgz" should have
installed the NetBSD default certificate bundle, and should have tried
to re-hash the root certificates, via "certctl rehash".  If that gave
you an error message (or you get an error message when you now re-try
that), you may have the mozilla-rootcerts-openssl package installed
already, and the help you get from certctl in that case is at best
minimal:

certctl: existing certificates; set manual or move them

It is far from clear for an ordinary user who just installed the
mozilla-rootcerts-openssl to get a working "curl" or "git" (and who
hasn't done anything more "advanced" with the certs than that) what
that actually means and what action needs to be taken.  I *think* that
means that you can now remove the mozilla-rootcerts-openssl package,
and retry doing "certctl rehash", which should now give no error
message.

At least that worked for me.

Best regards,

- Håvard