On 2021-09-30, Sebastian Benoit <[email protected]> wrote: > An errata patch for LibreSSL has been released for OpenBSD 6.8 and > OpenBSD 6.9. > > Compensate for the expiry of the DST Root X3 certificate. The use of an > unnecessary expired certificate in certificate chains can cause validation > errors. > > Binary updates for the amd64, i386 and arm64 platform are available > via the syspatch utility. Source code patches can be found on the > respective errata page: > > https://www.openbsd.org/errata68.html > https://www.openbsd.org/errata69.html > >
Note: you may have issues fetching the syspatches from your regular mirror due to this issue. Try fetching it normally first, as a number of mirrors are either unaffected, or have a workaround on the server side, but if that fails you have two options: - edit /etc/installurl to allow you to fetch the syspatches. Either switch https to http (the updates are signed and verified anyway), or use another mirror (including ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). - locate the expired certificate in /etc/ssl/cert.pem and remove it, it is the one with this in the header above: === /O=Digital Signature Trust Co./CN=DST Root CA X3 If you're able to install the syspatch anyway (syspatch69-018_cert.tgz or syspatch68-032_cert.tgz) then you don't need either of the above steps.
