From nobody Thu Dec  7 10:35:52 2023
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sm9fV4qCYz540qZ
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Thu,  7 Dec 2023 10:36:02 +0000 (UTC)
	(envelope-from SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl)
Received: from smtp-relay-int-backup.realworks.nl (smtp-relay-int-backup.realworks.nl [87.255.56.188])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Sm9fS5pTXz4cv5
	for <freebsd-stable@freebsd.org>; Thu,  7 Dec 2023 10:36:00 +0000 (UTC)
	(envelope-from SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=klop.ws header.s=rw2 header.b=lxDLqH6p;
	spf=pass (mx1.freebsd.org: domain of "SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl" designates 87.255.56.188 as permitted sender) smtp.mailfrom="SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl";
	dmarc=pass (policy=quarantine) header.from=klop.ws
Received: from rwvirtual136.colo.realworks.nl (rwvirtual136.colo.realworks.nl [10.0.10.36])
	by mailrelayint1.colo2.realworks.nl (Postfix) with ESMTP id 4Sm9fK0VZTzhw
	for <freebsd-stable@freebsd.org>; Thu,  7 Dec 2023 11:35:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2;
	t=1701945353;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 references:references; bh=VU5FqKEKvAxSen5kPgU0iEWKK+wyeiQm3GvZq5PFd4Q=;
	b=lxDLqH6pIgo36LuYu0+I9vmnn3hVKKJBy1hKaAqIxtLM+A6saOXo93nY//t6C2hj8EJcgl
	h5qEyFrIGnuomo08lHyjQu2myHkzbpfgu2jyR2uNQ6O17t6oA/Yrd02e+ovkKWux1Prnt2
	RgMtYvHKnr0lAi4d0E6yjxWovpddYHAdhZXMfY/BmbvyoGG/THkqe/VQBy1bWUuouGn0hi
	LH+UnrFixYXnQswOzN/a12sw/FR06j9TPaWX2WQOYQPCm4SVY0kKJDNl5FqDFegs++BezD
	134rNxwCnYDwa81GwTcPLCD+Izw01I30/fBRGK4xAJtKvihqRNEwcR0odDkWLw==
Received: from rwvirtual136.colo.realworks.nl (localhost [127.0.0.1])
	by rwvirtual136.colo.realworks.nl (Postfix) with ESMTP id E7695101572
	for <freebsd-stable@freebsd.org>; Thu,  7 Dec 2023 11:35:52 +0100 (CET)
Date: Thu, 7 Dec 2023 11:35:52 +0100 (CET)
From: Ronald Klop <ronald-lists@klop.ws>
To: freebsd-stable@freebsd.org
Message-ID: <464886240.91844.1701945352782@localhost>
References: <65710262.29a57.67c10f38@rpi4>
Subject: freebsd-update complains about changed files:
 /etc/ssl/certs/0179095f.0
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
Sender: owner-freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_91843_619229736.1701945352671"
X-Mailer: Realworks (681.40)
X-Originating-Host: from (84-105-120-103.cable.dynamic.v4.ziggo.nl [84.105.120.103])
	by rwvirtual136 [10.0.10.36]
	with HTTP; Thu, 07 Dec 2023 11:35:52 +0100
Importance: Normal
X-Priority: 3 (Normal)
X-Originating-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
X-Spamd-Result: default: False [-3.19 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.990];
	DMARC_POLICY_ALLOW(-0.50)[klop.ws,quarantine];
	MID_RHS_NOT_FQDN(0.50)[];
	FORGED_SENDER(0.30)[ronald-lists@klop.ws,SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl];
	R_SPF_ALLOW(-0.20)[+ip4:87.255.56.128/26];
	R_DKIM_ALLOW(-0.20)[klop.ws:s=rw2];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MLMMJ_DEST(0.00)[freebsd-stable@freebsd.org];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:38930, ipnet:87.255.32.0/19, country:NL];
	DKIM_TRACE(0.00)[klop.ws:+];
	TO_DN_NONE(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[ronald-lists@klop.ws,SRS0=aNgP=HS=klop.ws=ronald-lists@realworks.nl];
	HAS_X_PRIO_THREE(0.00)[3];
	RCVD_TLS_LAST(0.00)[];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Queue-Id: 4Sm9fS5pTXz4cv5
X-Spamd-Bar: ---

------=_Part_91843_619229736.1701945352671
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I have the problem from the forwarded mail below at several installs when I use freebsd-update.
The interesting part is that /etc/ssl/certs/ contains files.

Plain certctl rehash does not solve it.
But "rm /etc/ssl/certs/*; certctl rehash" ends up with all files in /etc/ssl/certs becoming symlinks and the problem is gone.
/etc/ssl/certs/002c0b4f.0 -> ../../../usr/share/certs/trusted/GlobalSign_Root_R46.pem

Maybe I installed my jails in a wrong way so I got files instead of symlinks in /etc/ssl/certs.

Anyway.
What is supposed to be in /etc/ssl/certs? Files or symlinks?

If somebody has a thought about this I'm interested.
Otherwise it is just a data point in the mailinglist for somebody else with this problem to find a solution.

NB: I also found older mention of this on the FreeBSD forums.
https://forums.freebsd.org/threads/getting-the-latest-files-that-were-not-downloaded-during-upgrade.78973/

Regards,
Ronald.

 
Van: zzzzz@xxxxx.yy
Datum: donderdag, 7 december 2023 00:23
Aan: root
Onderwerp: rpi4 security updates
> 
> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
> Fetching metadata signature for 13.2-RELEASE from update2.freebsd.org... done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> The following files are affected by updates. No changes have
> been downloaded, however, because the files have been modified
> locally:
> /etc/ssl/certs/0179095f.0
> /etc/ssl/certs/08063a00.0
> /etc/ssl/certs/0b9bc432.0
> /etc/ssl/certs/3e359ba6.0
> /etc/ssl/certs/5860aaa6.0
> /etc/ssl/certs/5931b5bc.0
> /etc/ssl/certs/5a7722fb.0
> /etc/ssl/certs/66445960.0
> /etc/ssl/certs/7a3adc42.0
> /etc/ssl/certs/7a780d93.0
> /etc/ssl/certs/8508e720.0
> /etc/ssl/certs/8f103249.0
> /etc/ssl/certs/90c5a3c8.0
> /etc/ssl/certs/9846683b.0
> /etc/ssl/certs/9ef4a08a.0
> /etc/ssl/certs/9f727ac7.0
> /etc/ssl/certs/d52c538d.0
> /etc/ssl/certs/ecccd8db.0
> /etc/ssl/certs/ed858448.0
> /etc/ssl/certs/fd64f3fc.0
> The following files will be updated as part of updating to
> 13.2-RELEASE-p7:
> /usr/share/certs/trusted/BJCA_Global_Root_CA1.pem
> /usr/share/certs/trusted/BJCA_Global_Root_CA2.pem
> /usr/share/certs/trusted/Certainly_Root_E1.pem
> /usr/share/certs/trusted/Certainly_Root_R1.pem
> /usr/share/certs/trusted/D-TRUST_BR_Root_CA_1_2020.pem
> /usr/share/certs/trusted/D-TRUST_EV_Root_CA_1_2020.pem
> /usr/share/certs/trusted/DigiCert_TLS_ECC_P384_Root_G5.pem
> /usr/share/certs/trusted/DigiCert_TLS_RSA4096_Root_G5.pem
> /usr/share/certs/trusted/E-Tugra_Global_Root_CA_ECC_v3.pem
> /usr/share/certs/trusted/E-Tugra_Global_Root_CA_RSA_v3.pem
> /usr/share/certs/trusted/HARICA_TLS_ECC_Root_CA_2021.pem
> /usr/share/certs/trusted/HARICA_TLS_RSA_Root_CA_2021.pem
> /usr/share/certs/trusted/HiPKI_Root_CA_-_G1.pem
> /usr/share/certs/trusted/ISRG_Root_X2.pem
> /usr/share/certs/trusted/Security_Communication_ECC_RootCA1.pem
> /usr/share/certs/trusted/Security_Communication_RootCA3.pem
> /usr/share/certs/trusted/Telia_Root_CA_v2.pem
> /usr/share/certs/trusted/TunTrust_Root_CA.pem
> /usr/share/certs/trusted/vTrus_ECC_Root_CA.pem
> /usr/share/certs/trusted/vTrus_Root_CA.pem
> 
> 
> 

 
------=_Part_91843_619229736.1701945352671
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html><head></head><body>Hi,<br>
<br>
I have the problem from the forwarded mail below at several installs when I use freebsd-update.<br>
The interesting part is that /etc/ssl/certs/ contains files.<br>
<br>
Plain certctl rehash does not solve it.<br>
But "rm /etc/ssl/certs/*; certctl rehash" ends up with all files in /etc/ssl/certs becoming symlinks and the problem is gone.<br>
/etc/ssl/certs/002c0b4f.0 -&gt; ../../../usr/share/certs/trusted/GlobalSign_Root_R46.pem<br>
<br>
Maybe I installed my jails in a wrong way so I got files instead of symlinks in /etc/ssl/certs.<br>
<br>
Anyway.<br>
What is supposed to be in /etc/ssl/certs? Files or symlinks?<br>
<br>
If somebody has a thought about this I'm interested.<br>
Otherwise it is just a data point in the mailinglist for somebody else with this problem to find a solution.<br>
<br>
NB: I also found older mention of this on the FreeBSD forums.<br>
https://forums.freebsd.org/threads/getting-the-latest-files-that-were-not-downloaded-during-upgrade.78973/<br>
<br>
Regards,<br>
Ronald.<br>
<br>
&nbsp;
<p><strong>Van:</strong> zzzzz@xxxxx.yy<br>
<strong>Datum:</strong> donderdag, 7 december 2023 00:23<br>
<strong>Aan:</strong> root<br>
<strong>Onderwerp:</strong> rpi4 security updates</p>

<blockquote style="padding-right: 0px; padding-left: 5px; margin-left: 5px; border-left: #000000 2px solid; margin-right: 0px">
<div class="MessageRFC822Viewer" id="P">
<div class="TextPlainViewer" id="P.P">Looking up update.FreeBSD.org mirrors... 3 mirrors found.<br>
Fetching metadata signature for 13.2-RELEASE from update2.freebsd.org... done.<br>
Fetching metadata index... done.<br>
Inspecting system... done.<br>
Preparing to download files... done.<br>
The following files are affected by updates. No changes have<br>
been downloaded, however, because the files have been modified<br>
locally:<br>
/etc/ssl/certs/0179095f.0<br>
/etc/ssl/certs/08063a00.0<br>
/etc/ssl/certs/0b9bc432.0<br>
/etc/ssl/certs/3e359ba6.0<br>
/etc/ssl/certs/5860aaa6.0<br>
/etc/ssl/certs/5931b5bc.0<br>
/etc/ssl/certs/5a7722fb.0<br>
/etc/ssl/certs/66445960.0<br>
/etc/ssl/certs/7a3adc42.0<br>
/etc/ssl/certs/7a780d93.0<br>
/etc/ssl/certs/8508e720.0<br>
/etc/ssl/certs/8f103249.0<br>
/etc/ssl/certs/90c5a3c8.0<br>
/etc/ssl/certs/9846683b.0<br>
/etc/ssl/certs/9ef4a08a.0<br>
/etc/ssl/certs/9f727ac7.0<br>
/etc/ssl/certs/d52c538d.0<br>
/etc/ssl/certs/ecccd8db.0<br>
/etc/ssl/certs/ed858448.0<br>
/etc/ssl/certs/fd64f3fc.0<br>
The following files will be updated as part of updating to<br>
13.2-RELEASE-p7:<br>
/usr/share/certs/trusted/BJCA_Global_Root_CA1.pem<br>
/usr/share/certs/trusted/BJCA_Global_Root_CA2.pem<br>
/usr/share/certs/trusted/Certainly_Root_E1.pem<br>
/usr/share/certs/trusted/Certainly_Root_R1.pem<br>
/usr/share/certs/trusted/D-TRUST_BR_Root_CA_1_2020.pem<br>
/usr/share/certs/trusted/D-TRUST_EV_Root_CA_1_2020.pem<br>
/usr/share/certs/trusted/DigiCert_TLS_ECC_P384_Root_G5.pem<br>
/usr/share/certs/trusted/DigiCert_TLS_RSA4096_Root_G5.pem<br>
/usr/share/certs/trusted/E-Tugra_Global_Root_CA_ECC_v3.pem<br>
/usr/share/certs/trusted/E-Tugra_Global_Root_CA_RSA_v3.pem<br>
/usr/share/certs/trusted/HARICA_TLS_ECC_Root_CA_2021.pem<br>
/usr/share/certs/trusted/HARICA_TLS_RSA_Root_CA_2021.pem<br>
/usr/share/certs/trusted/HiPKI_Root_CA_-_G1.pem<br>
/usr/share/certs/trusted/ISRG_Root_X2.pem<br>
/usr/share/certs/trusted/Security_Communication_ECC_RootCA1.pem<br>
/usr/share/certs/trusted/Security_Communication_RootCA3.pem<br>
/usr/share/certs/trusted/Telia_Root_CA_v2.pem<br>
/usr/share/certs/trusted/TunTrust_Root_CA.pem<br>
/usr/share/certs/trusted/vTrus_ECC_Root_CA.pem<br>
/usr/share/certs/trusted/vTrus_Root_CA.pem</div>

<hr></div>
</blockquote>
<br>
&nbsp;</body></html>
------=_Part_91843_619229736.1701945352671--