Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Nov 2023 22:55:07 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 275144] security/lastpass-cli: Error: SSL peer certificate or SSH remote key was not OK
Message-ID:  <bug-275144-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275144

            Bug ID: 275144
           Summary: security/lastpass-cli: Error: SSL peer certificate or
                    SSH remote key was not OK
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: sunpoet@FreeBSD.org
          Reporter: john@saltant.com
          Assignee: sunpoet@FreeBSD.org
             Flags: maintainer-feedback?(sunpoet@FreeBSD.org)

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

The login and logout commands of the LastPass CLI fail with the following e=
rror
on 13.2-RELEASE-p3 amd64.

    Error: SSL peer certificate or SSH remote key was not OK


Observed behavior
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    % lpass login username@example.com
    Error: SSL peer certificate or SSH remote key was not OK
    %


Expected behavior
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    % lpass login username@example.com
    # password prompt appears


Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Option 1: Install security/ca_root_nss

Option 2: Set SSL_CERT_DIR=3D/etc/ssl/certs in the environment


Analysis
=3D=3D=3D=3D=3D=3D=3D=3D

By default, the lpass command tries to load a trust store first from
/usr/local/openssl/cert.pem and then from /usr/local/openssl/certs. When
security/ca_root_nss is not installed, no trust store is present at these
locations by default.

When attempting to load from a CA path by hash symlink, the following hashes
are attempted.

    4bd443a4.0
    1d3472b9.0
    5c47d203.0

The second one is present in the base trust store and refers to

    /usr/share/certs/trusted/GlobalSign_ECC_Root_CA_-_R5.pem

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-275144-7788>