David Brownlee <a...@absd.org> wrote: > On Tue, 23 Apr 2024 at 02:27, beaker <bea...@sdf.org> wrote: > > I have a 9.3/i386 VM on which I recently ran > > $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove > > > > which worked but subsequent attempts to use pkgin report the following > > error: > > > > -- > > $ sudo pkgin update > > cleaning database from > > http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries... > > reading local summary... > > processing local summary... > > processing remote summary > > (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)... > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > pkgin: Could not fetch > > https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: > > Authentication error > > -- > > > > A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so > > it only uses http not https but I'd really rather not do that going > > forward so I'm looking for some guidance on how to fix wahatever > > is causing this SSL certificate verification error. > > > > System info: > > $ pkgin -v > > pkgin 23.8.1 (using SQLite 3.26.0) > > $ uname -a |cut -d' ' -f4-12 > > NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC > > $ uname -m > > i386 > > Do you have security/mozilla-rootcerts-openssl installed? (which > should provide a full set of certs in /etc/openssl). Alternatively > what do you have in /etc/openssl > > For netbsd-10 /etc/openssl is populated by the OS, but doing that > would be a breaking change on netbsd-9, however it may be that the > latest pkgin is enforcing SSL certificates by default on netbsd-9 > which would be... unhelpful in this case
Thanks, installing the mozilla-rootcerts-openssl pkg then re-editing ../pkgin/repositories.conf to use "https" worked. You're probably right about this being sort of a transitory issue mostly affecting 9.x, I just hadn't encountered it before and I've a handful of 9.x systems. Probably the forementioned rootcert pkg is already present on those. -B
