NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Upgrade 8.2 -> 9.4 breaks cpan?



I tried just installing pkg  "mozilla-rootcerts-openssl”, and it seems to have fixed cpan. I will keep your comments for future reference if other things misbehave.

Thank you,

-dgl-

> On Nov 17, 2024, at 7:21 AM, Martin Neitzel <neitzel%hackett.marshlabs.gaertner.de@localhost> wrote:
> 
> Don Lee:
>> Ideas?
> 
> Looks to me as if certificate verification fails on your box because
> the collection of root certificates cannot be found.
> 
> The oldest way to get them was to install the pkg "mozilla-rootcerts".
> On top of that, one had to manually unpack the certificate bundle
> and to create/update all the hashed links to the certificates, and
> all of that in the proper places.  The include script
> /usr/pkg/sbin/mozilla-rootcerts helps you doing this:
> 
> 	# This script is meant to be used as follows:
> 	#
> 	#       # cd /etc/openssl/certs
> 	#       # mozilla-rootcerts extract
> 	#       # mozilla-rootcerts rehash
> 
> Re-running these these steps might be all you need.
> 
> (The motivation for not writing directly to /etc/openssl/certs
> on pkg install is to not mess around with the default local
> trust base.)
> 
> 
> A later pkg called "mozilla-rootcerts-openssl" entered the game
> 2015, around netbsd-7 or -8, as an alternative to "mozilla-rootcerts".
> It already contains the unbundled root certificates and their hash
> files and places them in /etc/openssl/certs/.
> 
> According to the pkg description, it also tries to align the
> directories used for "base-openssl" and "pkgsrc-openssl". (I couldn't
> find any such "post-install" actions, though; looks like this more
> a pkgsrc compile-time decision.)  You might want to switch from
> pkg "mozilla-rootcerts" to "mozilla-rootcerts-openssl".
> 
> Still, throwing a symlink between /usr/pkg/etc/openssl/certs and
> /etc/openssl/certs might be needed.
> 
> 
> (With netbsd-10.0, things become much simpler:  you'll get the
> mozilla root certificates with base system, and there is certctl(8)
> to maintain these and further certificate sets.)
> 
> 					Martin Neitzel



Home | Main Index | Thread Index | Old Index