Date: Wed, 12 Jan 2022 11:05:43 +0000 From: patpro@patpro.net To: "Axel Rau" <Axel.Rau@chaos1.de>, FreeBSD-security@freebsd.org Subject: Re: Random failures: "unable to get local issuer certificate" Message-ID: <3a5cd966011999f62c7d66a263f12500@patpro.net> In-Reply-To: <A1C37E54-1FF3-4486-AD6C-470B5F858634@Chaos1.DE> References: <A1C37E54-1FF3-4486-AD6C-470B5F858634@Chaos1.DE>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Is that possible that the destination is the culprit? $ host sh.rustup.rs sh.rustup.rs is an alias for dks7yomi95k2d.cloudfront.net. dks7yomi95k2d.cloudfront.net has address 54.192.66.29 dks7yomi95k2d.cloudfront.net has address 54.192.66.52 dks7yomi95k2d.cloudfront.net has address 54.192.66.99 dks7yomi95k2d.cloudfront.net has address 54.192.66.5 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:b200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5e00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:ee00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:f600:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:1200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:a400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:2600:0:9a61:= 7540:93a1 may be (I have not tested) the result is different depending on DNS reply= . patpro January 12, 2022 11:56 AM, "Axel Rau" <Axel.Rau@chaos1.de> wrote: > Hi all, >=20 >=20I=E2=80=99m running the download > curl https://sh.rustup.rs -sSf | sh > this works fine, but the rust installer it calls fails on random hosts > and jails with >=20 >=20error sending request \ > for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha= 256): \ > error trying to connect: error:1416F086:SSL \ > routines:tls_process_server_certificate:certificate \ > verify failed:ssl/statem/statem_clnt.c:1915: \ > (unable to get local issuer certificate) >=20 >=20All tested systems/jails are running 12.2p7 and habe identical cert s= tores, > kept up-to-date with freebsd-update. > OpenSSL 1.1.1h-freebsd from base. >=20 >=20Which knobs are influencing local issuer list? > Where can I dig to resolve this issue? >=20 >=20Any help appreciated, > Axel > --- > PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3a5cd966011999f62c7d66a263f12500>