From nobody Fri Oct 29 12:16:32 2021 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4267B181817D for ; Fri, 29 Oct 2021 12:16:37 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HghHS5brpz4TCv; Fri, 29 Oct 2021 12:16:36 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 1fdd7752; Fri, 29 Oct 2021 12:16:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=content-type :content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; s=20180501; bh=C1VGf0MEBjTmYl +XPJ9rD35esvI=; b=qb80FO/AFG3fzwYMtPrKiZp0JNvrbISRnDrZGwmexyZefP Y193simyk2EC6knJ27zkpsH3O2ymqd54gVCz/xx1HK3FSOsySE1km3Ys6d7+wXar 2ZVc9aAIIgbADAst7yFr8gral3EGIzwnjdMq/3M0WL2mllbkl6Wr3oHpvIUMW8j3 +fm3dE+q0eVAHjAoDDwqHbSHKMdZHm8XAcCUGd7xUlBsPgtauVh4hawvnWbkP012 MSnc+IE7+GaxTJoYnCrHWCZ5hjep3+YVo4GKrqJ8FJOnk6vFHwEvhEIdu+TPgKXw t2Tslh1ELBwYe4G7TvZpBYoLFocMn4FF1faSEhyA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=content-type :content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; q=dns; s=20180501; b=TEqI02NS en+DWdLqGGqG9pWRWDAh4bfEGqotJwC+hYJMuAZzpf9CP6aSuWlD5i4qXITL7kDP /IiwUiPGzXmQMc1atdpbN2VY5Th/SHFMsOrNxe2BFA+gJhzrsQ1p2NE81iWSnxv5 5MhD3heIZSbkaAeLe1S0rsg8obUTJRtZqWxp/0KmKOgfbca/eoigI+W9EmK1ahz+ 77rBjhzkYrXtIvxW6riwGnKPsCSJ9Yh6Zc04eLYWezfdlToWM6+1lsGU9Hy7NqtQ dYqR06cYgPL6xJBvVOsy9dHbTeJ/fqacjUxvlH0tjIj6KwsvqbT+QVW/0VKRGl7t 6P86f8UHxBOdCw== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 49a9b6a9 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Fri, 29 Oct 2021 12:16:33 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: deskutils/nextcloudclient Cannot connect securely to From: Michael Gmelin In-Reply-To: Date: Fri, 29 Oct 2021 14:16:32 +0200 Cc: Guido Falsi , ports@freebsd.org Message-Id: <7B941E4A-A66E-4B8A-B599-4F01492C8259@grem.de> References: To: Per olof Ljungmark X-Mailer: iPhone Mail (18F72) X-Rspamd-Queue-Id: 4HghHS5brpz4TCv X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N > On 29. Oct 2021, at 14:12, Per olof Ljungmark wrote: >=20 > =EF=BB=BFOn 10/25/21 16:22, Per olof Ljungmark wrote: >>> On 10/25/21 09:51, Guido Falsi wrote: >>> On 25/10/21 08:14, Per olof Ljungmark wrote: >>>> FreeBSD 12-STABLE from Oct 15 >>>> nextcloudclient 3.3.5 >>>>=20 >>>> I get popup messages from the client stating "Untrusted Certificate Can= not connect securely to [server-name]". >>>>=20 >>>> Browser access to the server is fine, no errors. >>>>=20 >>>> Using truss, it seems it looks for and finds >>>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=3D-r--r--r-- ,inod= e=3D192371,size=3D4665,blksize=3D5120 },0x0) =3D 0 (0x0) >>>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) =3D 106535 (0x1a027) >>>>=20 >>>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired. >>>>=20 >>>> It also looks for 8d33f237.0, but it does not exist: >>>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) ERR#2= 'No such file or directory' >>>>=20 >>>> How do I convince it to instead look for 4042bcee.0 which is the ISRG_R= oot_X1.pem used by Letsencrypt? >>>=20 >>> Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-20= 21/ >>>=20 >>> What version of openssl are you using? versions before 1.1.0 show this b= ehavior. >>>=20 >>> Maybe a possible workaround is to manually remove the expired certificat= e from the list of trusted ones. >>>=20 >>> I guess you are using the ones installed by security/ca_root_nss, in whi= ch case you'll need to modify their list. >>>=20 >> Deleting the link /etc/ssl/certs did the trick it see,s, no more popups s= ince an hour. >> Still wondering why this happens though... >=20 > As a final note, I just updated my laptop to latest 12-STABLE and nextclou= dclient 3.3.5 and no problem with certificates. So the reason remains unknow= n but at least everything works as expected. >=20 This was certainly related to the letsencrypt issuing CA expiry (seen the sa= me on a nextcloud windows client). -m > Per