Don Lee:
> Ideas?
Looks to me as if certificate verification fails on your box because
the collection of root certificates cannot be found.
The oldest way to get them was to install the pkg "mozilla-rootcerts".
On top of that, one had to manually unpack the certificate bundle
and to create/update all the hashed links to the certificates, and
all of that in the proper places. The include script
/usr/pkg/sbin/mozilla-rootcerts helps you doing this:
# This script is meant to be used as follows:
#
# # cd /etc/openssl/certs
# # mozilla-rootcerts extract
# # mozilla-rootcerts rehash
Re-running these these steps might be all you need.
(The motivation for not writing directly to /etc/openssl/certs
on pkg install is to not mess around with the default local
trust base.)
A later pkg called "mozilla-rootcerts-openssl" entered the game
2015, around netbsd-7 or -8, as an alternative to "mozilla-rootcerts".
It already contains the unbundled root certificates and their hash
files and places them in /etc/openssl/certs/.
According to the pkg description, it also tries to align the
directories used for "base-openssl" and "pkgsrc-openssl". (I couldn't
find any such "post-install" actions, though; looks like this more
a pkgsrc compile-time decision.) You might want to switch from
pkg "mozilla-rootcerts" to "mozilla-rootcerts-openssl".
Still, throwing a symlink between /usr/pkg/etc/openssl/certs and
/etc/openssl/certs might be needed.
(With netbsd-10.0, things become much simpler: you'll get the
mozilla root certificates with base system, and there is certctl(8)
to maintain these and further certificate sets.)
Martin Neitzel
