Re: cryptic pkgin SSL cert error

To: beaker <beaker%sdf.org@localhost>
Subject: Re: cryptic pkgin SSL cert error
From: David Brownlee <abs%absd.org@localhost>
Date: Tue, 23 Apr 2024 11:52:26 +0100

On Tue, 23 Apr 2024 at 02:27, beaker <beaker%sdf.org@localhost> wrote:
>
> Hello,
>
> I have a 9.3/i386 VM on which I recently ran
>   $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove
>
> which worked but subsequent attempts to use pkgin report the following error:
>
> --
> $ sudo pkgin update
> cleaning database from http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries...
> reading local summary...
> processing local summary...
> processing remote summary (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)...
> 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> pkgin: Could not fetch https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: Authentication error
> --
>
> A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so
> it only uses http not https but I'd really rather not do that going
> forward so I'm looking for some guidance on how to fix wahatever
> is causing this SSL certificate verification error.
>
> System info:
> $ pkgin -v
> pkgin 23.8.1 (using SQLite 3.26.0)
> $ uname -a |cut -d' ' -f4-12
> NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC
> $ uname -m
> i386

Do you have security/mozilla-rootcerts-openssl installed? (which
should provide a full set of certs in /etc/openssl). Alternatively
what do you have in /etc/openssl

For netbsd-10 /etc/openssl is populated by the OS, but doing that
would be a breaking change on netbsd-9, however it may be that the
latest pkgin is enforcing SSL certificates by default on netbsd-9
which would be... unhelpful in this case

David

Follow-Ups:
- Re: cryptic pkgin SSL cert error
  - From: beaker
- Re: cryptic pkgin SSL cert error
  - From: Greg Troxel

References:
- cryptic pkgin SSL cert error
  - From: beaker

Prev by Date: Re: Mail delivery from Postfix to remote IMAP
Next by Date: Re: cryptic pkgin SSL cert error
Previous by Thread: cryptic pkgin SSL cert error
Next by Thread: Re: cryptic pkgin SSL cert error
Indexes:

Home | Main Index | Thread Index | Old Index