Date: Sun, 8 Oct 2023 04:56:43 +0900 From: Koichiro Iwao <meta@freebsd.org> To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org, ports@freebsd.org Subject: Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink. Message-ID: <e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq@kkxcogbrjalt> In-Reply-To: <j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2> References: <202310061549.396Fn8xF027032@gitrepo.freebsd.org> <u5u2xbbkwwmnicmloyujjmaslmtnpmnegksa337odkhhwrr2cd@s4ejluqaephk> <868r8eeja5.fsf@ltc.des.no> <j5hsadyeheayonhr5zudy2xurjtujxt3o6ilyyv4z7eej4zxnl@ptiztdqopea2>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote: > On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Smørgrav wrote: > > Koichiro Iwao <meta@freebsd.org> writes: > > > % LANG=C wget -O - https://www.freebsd.org > > > --2023-10-07 19:50:58-- https://www.freebsd.org/ > > > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ... > > > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected. > > > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US': > > > Unable to locally verify the issuer's authority. > > > To connect to www.freebsd.org insecurely, use `--no-check-certificate'. > > > > I'm unable to reproduce this on 13.2. Running wget under ktrace shows > > that although it first looks for the nonexistent bundle, it correctly > > falls back to the system trust store. Regarding wget, it was an issue with security/openssl. I'm using openssl from ports: > DEFAULT_VERSIONS+= ssl=openssl As far as I tried debugging with ktrace, security/openssl doesn't fallback to /etc/ssl/certs directory. % LANG=C ktrace wget -O /dev/null https://www.freebsd.org/ --2023-10-08 04:32:45-- https://www.freebsd.org/ Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 210.231.212.93, ... Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected. ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US': Unable to locally verify the issuer's authority. To connect to www.freebsd.org insecurely, use `--no-check-certificate'. % kdump -tn |grep -e "/etc" -e "certs" 28088 wget NAMI "/etc/libmap.conf" 28088 wget NAMI "/usr/local/etc/libmap.d" 28088 wget NAMI "/usr/local/etc/libmap.d/mesa.conf" 28088 wget NAMI "/etc/malloc.conf" 28088 wget NAMI "/usr/local/etc/wgetrc" 28088 wget NAMI "/usr/local/etc/wgetrc" 28088 wget NAMI "/etc/localtime" 28088 wget NAMI "/etc/nsswitch.conf" 28088 wget NAMI "/etc/nsswitch.conf" 28088 wget NAMI "/etc/hosts" 28088 wget NAMI "/etc/resolv.conf" 28088 wget NAMI "/usr/local/openssl/certs/8d33f237.0" 28088 wget NAMI "/usr/local/openssl/certs/4042bcee.0" 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" 28088 wget NAMI "/usr/local/openssl/certs/2e5ac55d.0" 28088 wget NAMI "/usr/local/openssl/certs/bfabe37b.0" % ls -l /usr/local/openssl/certs (empty) # rmdir /usr/local/openssl/certs # ln -s /etc/ssl/certs /usr/local/openssl So I replaced /usr/local/openssl/certs directory with a symlink to /etc/ssl/certs directory. The workaround worked perfectly. The security/openssl port might need some adjustment. After ca_root_nss quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should be added to the search path. Otherwise, openssl port cannot find root certificates installed by ca_root_nss. -- meta <meta@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e3g73uqrsnhlvufy6fqvcnhpmk2end6oaawwqjgfyn3avpxchq>