From nobody Mon Oct 25 14:33:03 2021 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B73C418187F8 for ; Mon, 25 Oct 2021 14:33:05 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HdHVn3hymz4YS7; Mon, 25 Oct 2021 14:33:05 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from [172.24.42.13] (host-95-250-211-60.retail.telecomitalia.it [95.250.211.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: madpilot/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 0B92557F5; Mon, 25 Oct 2021 14:33:04 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Message-ID: Date: Mon, 25 Oct 2021 16:33:03 +0200 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.2.1 Subject: Re: deskutils/nextcloudclient Cannot connect securely to Content-Language: en-US To: Per olof Ljungmark , ports@FreeBSD.org References: <8c393a71-78fc-c057-2be7-37fc551e630d@nethead.se> From: Guido Falsi In-Reply-To: <8c393a71-78fc-c057-2be7-37fc551e630d@nethead.se> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-ThisMailContainsUnwantedMimeParts: N On 25/10/21 16:22, Per olof Ljungmark wrote: > On 10/25/21 09:51, Guido Falsi wrote: >> On 25/10/21 08:14, Per olof Ljungmark wrote: >>> FreeBSD 12-STABLE from Oct 15 >>> nextcloudclient 3.3.5 >>> >>> I get popup messages from the client stating "Untrusted Certificate >>> Cannot connect securely to [server-name]". >>> >>> Browser access to the server is fine, no errors. >>> >>> Using truss, it seems it looks for and finds >>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r-- >>> ,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0) >>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027) >>> >>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired. >>> >>> It also looks for 8d33f237.0, but it does not exist: >>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) >>> ERR#2 'No such file or directory' >>> >>> How do I convince it to instead look for 4042bcee.0 which is the >>> ISRG_Root_X1.pem used by Letsencrypt? >> >> Ref: >> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ >> >> What version of openssl are you using? versions before 1.1.0 show this >> behavior. >> >> Maybe a possible workaround is to manually remove the expired >> certificate from the list of trusted ones. >> >> I guess you are using the ones installed by security/ca_root_nss, in >> which case you'll need to modify their list. >> > > Deleting the link /etc/ssl/certs did the trick it see,s, no more popups > since an hour. > > Still wondering why this happens though... Not sure why it happens in your case, since you're using a recent OpenSSL, but in general it happens because one of letsencrypt root certificates expired and the default chain still includes it through cross signing. Newer OpenSSL should be able to cope, so, again, no clue why it happens in your case. -- Guido Falsi