Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Jul 2024 08:47:20 +0800
From:      Philip Paeps <philip@freebsd.org>
To:        Mark Millard <marklmi@yahoo.com>
Cc:        FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, Karl Denninger <karl@denninger.net>
Subject:   Re: pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid"
Message-ID:  <0377045B-3DF8-4B25-9075-6F67F9E7194B@freebsd.org>
In-Reply-To: <5667D5C0-44F7-4B40-8F63-50D5973D220D@yahoo.com>
References:  <5667D5C0-44F7-4B40-8F63-50D5973D220D.ref@yahoo.com> <5667D5C0-44F7-4B40-8F63-50D5973D220D@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2024-07-04 01:27:03 (+0800), Mark Millard wrote:
> Bootstrapping pkg from 
> pkg+https://pkg.FreeBSD.org/FreeBSD:14:aarch64/quarterly, please 
> wait...
> Certificate verification failed for /CN=pkg.freebsd.org
> 0020616CE1680000:error:0A000086:SSL 
> routines:tls_post_process_server_certificate:certificate verify 
> failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:

As far as I can tell, at the time of this writing, all fifteen 
pkg.freebsd.org sites have the same certificate, and OpenSSL is happy 
with it.

> Note the "pkg+https://".
>
> I had separate problems yesterday that I side stepped by
> testing use of just "pkg+http://", which worked. See:

Use pkg+http.  This is the default.  Packages are signed.  Transport 
layer security does not provide any additional security.  (Anticipating 
the usual argument: it doesn't provide privacy either - packages are 
trivially fingerprinted by file size.)

> pkg with -d for the https context had its debug output
> reporting:
>
> * SSL certificate problem: certificate is not yet valid

Does the system being bootstrapped have a real-time clock?  Common 
causes for this error are clocks set to 1970-01-01 or 2000-01-01.

> It happened to be using 204.15.11.66:443 for the https activity.

For what it's worth: 204.15.11.66 = pkg0.tuk.freebsd.org.

root@pkg0.tuk:~ # openssl x509 -noout -in 
/etc/clusteradm/acme-certs/pkg.freebsd.org.crt -dates
notBefore=Jun  1 20:26:18 2024 GMT
notAfter=Aug 30 20:26:17 2024 GMT

Philip

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0377045B-3DF8-4B25-9075-6F67F9E7194B>