From owner-freebsd-stable@freebsd.org Fri Dec 4 03:01:33 2020 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7DA234706D0 for ; Fri, 4 Dec 2020 03:01:33 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (phouka1.phouka.net [107.170.196.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "phouka.net", Issuer "Go Daddy Secure Certificate Authority - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CnHXr2t01z3QRp for ; Fri, 4 Dec 2020 03:01:32 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (localhost [127.0.0.1]) by phouka1.phouka.net (8.16.1/8.16.1) with ESMTPS id 0B4309IM098044 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 3 Dec 2020 19:00:09 -0800 (PST) (envelope-from warlock@phouka1.phouka.net) Received: (from warlock@localhost) by phouka1.phouka.net (8.16.1/8.16.1/Submit) id 0B4308xE098043; Thu, 3 Dec 2020 19:00:08 -0800 (PST) (envelope-from warlock) Date: Thu, 3 Dec 2020 19:00:08 -0800 From: John Kennedy To: Bob Willcox Cc: stable list Subject: Re: authentication errors on 'make fetchindex' in /usr/ports Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4CnHXr2t01z3QRp X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of warlock@phouka1.phouka.net has no SPF policy when checking 107.170.196.116) smtp.mailfrom=warlock@phouka1.phouka.net X-Spamd-Result: default: False [-1.80 / 15.00]; ARC_NA(0.00)[]; MAILMAN_DEST(0.00)[freebsd-stable]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[107.170.196.116:from]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[phouka.net]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[107.170.196.116:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[warlock@phouka.net,warlock@phouka1.phouka.net]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; FROM_NEQ_ENVFROM(0.00)[warlock@phouka.net,warlock@phouka1.phouka.net]; ASN(0.00)[asn:14061, ipnet:107.170.192.0/18, country:US] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 03:01:33 -0000 On Thu, Dec 03, 2020 at 04:57:53PM -0600, Bob Willcox wrote: > I am trying to upgrade a 12.1-stable system installed back in July to 12.2-stable. > I downloaded the new ports hierarchy and now when I attempt to run 'make fetchindex' > I get these errors: > > /usr/bin/env fetch -am -o /usr/ports/INDEX-12.bz2 https://www.FreeBSD.org/ports/INDEX-12.bz2 > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: > fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: > > Can someone help? Can you run the command by hand? I can, although I'm using: 12.2-RELEASE-p1 r368257+2ab1386b6891(releng/12.2). I seem to recall some work on the certificate repository pre 12.2-RELEASE, so you might be stuck in a weird spot. If I do this little bit of uglyness, we can see some details: openssl s_client -showcerts -connect www.freebsd.org:https < /dev/null | \ perl -ne '(/-----BEGIN CERTIFICATE-----/../-----END CERTIFICATE-----/) && print' | \ while read LINE; do case "$LINE" in "-----BEGIN CERTIFICATE-----") CERT="$LINE";; "-----END CERTIFICATE-----") echo -e "$CERT\n$LINE" | openssl x509 -text -noout;; *) CERT="$CERT\n$LINE";; esac done | \ grep -E '^Certificate:|Not|Issuer:|Subject:' depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.freebsd.org verify return:1 DONE Certificate: Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Not Before: Oct 17 20:36:10 2020 GMT Not After : Jan 15 20:36:10 2021 GMT Subject: CN = www.freebsd.org Certificate: Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Not Before: Mar 17 16:40:46 2016 GMT Not After : Mar 17 16:40:46 2021 GMT Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 So, do you have the glue for the current Let's Encrypt root in your store? As I recall, that had some intermediate cross-signing stuff expire recently. Doesn't seem like it would be an issue here. openssl x509 -text < /usr/share/certs/trusted/DST_Root_CA_X3.pem | \ grep -E '^Certificate:|Not|Issuer:|Subject:' Certificate: Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 As a one-off, fetch has the --no-verify-hostname and --no-verify-peer options, but you'll probably want to update your system past a bad store since there are probably a bunch of Let's Encrypt certs out there these days.