Re: cryptic pkgin SSL cert error

To: abs%absd.org@localhost
Subject: Re: cryptic pkgin SSL cert error
From: beaker%sdf.org@localhost (beaker)
Date: Tue, 23 Apr 2024 06:43:23 -0700

David Brownlee <abs%absd.org@localhost> wrote:

> On Tue, 23 Apr 2024 at 02:27, beaker <beaker%sdf.org@localhost> wrote:
> > I have a 9.3/i386 VM on which I recently ran
> >   $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove
> >
> > which worked but subsequent attempts to use pkgin report the following error:
> >
> > --
> > $ sudo pkgin update
> > cleaning database from http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries...
> > reading local summary...
> > processing local summary...
> > processing remote summary (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)...
> > 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> > 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> > 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
> > pkgin: Could not fetch https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: Authentication error
> > --
> >
> > A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so
> > it only uses http not https but I'd really rather not do that going
> > forward so I'm looking for some guidance on how to fix wahatever
> > is causing this SSL certificate verification error.
> >
> > System info:
> > $ pkgin -v
> > pkgin 23.8.1 (using SQLite 3.26.0)
> > $ uname -a |cut -d' ' -f4-12
> > NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC
> > $ uname -m
> > i386
>
> Do you have security/mozilla-rootcerts-openssl installed? (which
> should provide a full set of certs in /etc/openssl). Alternatively
> what do you have in /etc/openssl
>
> For netbsd-10 /etc/openssl is populated by the OS, but doing that
> would be a breaking change on netbsd-9, however it may be that the
> latest pkgin is enforcing SSL certificates by default on netbsd-9
> which would be... unhelpful in this case

Thanks, installing the mozilla-rootcerts-openssl pkg then re-editing
../pkgin/repositories.conf to use "https" worked.

You're probably right about this being sort of a transitory issue
mostly affecting 9.x, I just hadn't encountered it before and I've
a handful of 9.x systems.  Probably the forementioned rootcert pkg
is already present on those.

-B

References:
- cryptic pkgin SSL cert error
  - From: beaker
- Re: cryptic pkgin SSL cert error
  - From: David Brownlee

Prev by Date: Re: NetBSD 9.3 to 10.0 upgrade failure - check for DOS fs
Next by Date: Re: NetBSD 9.3 to 10.0 upgrade failure - check for DOS fs
Previous by Thread: Re: cryptic pkgin SSL cert error
Indexes:

Home | Main Index | Thread Index | Old Index