From nobody Wed Jan 12 11:05:43 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E47EB19481A9 for ; Wed, 12 Jan 2022 11:05:53 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "patpro.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYl9F5Ydsz3Lkw for ; Wed, 12 Jan 2022 11:05:53 +0000 (UTC) (envelope-from patpro@patpro.net) X-Virus-Scanned: amavisd-new at patpro.net Received: from mail.patpro.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id 988BD230F8; Wed, 12 Jan 2022 12:05:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=202112-36538bdf; t=1641985543; bh=iPDV9G9mtOxc9T51/E8WsviZmrGvhPPULarTSrlpGp4=; h=Date:From:Subject:To:In-Reply-To:References; b=iFDyrNlBlbaZxbFIAD7h5wkM0Yt6Z6WY6XUGEPsLBy0FQPD6RKR9VEMNVZJRJPCaH HpW61wS+6F3GoTpE8pYxSux6l2Ttuen6vTVjDHUv/Dh2sZySTrM0pFM7mb/DgSpsNm h11WTg2TaSrudP+XdVOSN/+QubKve+yRQqqi9CCmY+Wbu/WPRgN51dK9wuX/eNyguU 6vyCjbLGzMrUkmxrrM4tml8uaKg3fOFuajuc2gXqvTdCBAOT9SFd0W2LXJ9oDoyiIv j5G8cbdicjuvs+lexiUzwIErZTwF935T0a4kR/rV5HucyXJuZhhxdOwVK25JSdPayA 6U5LTBazv3ILw== List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Date: Wed, 12 Jan 2022 11:05:43 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: RainLoop/1.16.0 From: patpro@patpro.net Message-ID: <3a5cd966011999f62c7d66a263f12500@patpro.net> Subject: Re: Random failures: "unable to get local issuer certificate" To: "Axel Rau" , FreeBSD-security@freebsd.org In-Reply-To: References: X-Rspamd-Queue-Id: 4JYl9F5Ydsz3Lkw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, Is that possible that the destination is the culprit? $ host sh.rustup.rs sh.rustup.rs is an alias for dks7yomi95k2d.cloudfront.net. dks7yomi95k2d.cloudfront.net has address 54.192.66.29 dks7yomi95k2d.cloudfront.net has address 54.192.66.52 dks7yomi95k2d.cloudfront.net has address 54.192.66.99 dks7yomi95k2d.cloudfront.net has address 54.192.66.5 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:b200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5e00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:ee00:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:f600:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:1200:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:a400:0:9a61:= 7540:93a1 dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:2600:0:9a61:= 7540:93a1 may be (I have not tested) the result is different depending on DNS reply= . patpro January 12, 2022 11:56 AM, "Axel Rau" wrote: > Hi all, >=20 >=20I=E2=80=99m running the download > curl https://sh.rustup.rs -sSf | sh > this works fine, but the rust installer it calls fails on random hosts > and jails with >=20 >=20error sending request \ > for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha= 256): \ > error trying to connect: error:1416F086:SSL \ > routines:tls_process_server_certificate:certificate \ > verify failed:ssl/statem/statem_clnt.c:1915: \ > (unable to get local issuer certificate) >=20 >=20All tested systems/jails are running 12.2p7 and habe identical cert s= tores, > kept up-to-date with freebsd-update. > OpenSSL 1.1.1h-freebsd from base. >=20 >=20Which knobs are influencing local issuer list? > Where can I dig to resolve this issue? >=20 >=20Any help appreciated, > Axel > --- > PGP-Key: CDE74120 =E2=98=80 computing @ chaos claudius