I tried just installing pkg "mozilla-rootcerts-openssl”, and it seems to have fixed cpan. I will keep your comments for future reference if other things misbehave.
Thank you, -dgl- > On Nov 17, 2024, at 7:21 AM, Martin Neitzel > <neit...@hackett.marshlabs.gaertner.de> wrote: > > Don Lee: >> Ideas? > > Looks to me as if certificate verification fails on your box because > the collection of root certificates cannot be found. > > The oldest way to get them was to install the pkg "mozilla-rootcerts". > On top of that, one had to manually unpack the certificate bundle > and to create/update all the hashed links to the certificates, and > all of that in the proper places. The include script > /usr/pkg/sbin/mozilla-rootcerts helps you doing this: > > # This script is meant to be used as follows: > # > # # cd /etc/openssl/certs > # # mozilla-rootcerts extract > # # mozilla-rootcerts rehash > > Re-running these these steps might be all you need. > > (The motivation for not writing directly to /etc/openssl/certs > on pkg install is to not mess around with the default local > trust base.) > > > A later pkg called "mozilla-rootcerts-openssl" entered the game > 2015, around netbsd-7 or -8, as an alternative to "mozilla-rootcerts". > It already contains the unbundled root certificates and their hash > files and places them in /etc/openssl/certs/. > > According to the pkg description, it also tries to align the > directories used for "base-openssl" and "pkgsrc-openssl". (I couldn't > find any such "post-install" actions, though; looks like this more > a pkgsrc compile-time decision.) You might want to switch from > pkg "mozilla-rootcerts" to "mozilla-rootcerts-openssl". > > Still, throwing a symlink between /usr/pkg/etc/openssl/certs and > /etc/openssl/certs might be needed. > > > (With netbsd-10.0, things become much simpler: you'll get the > mozilla root certificates with base system, and there is certctl(8) > to maintain these and further certificate sets.) > > Martin Neitzel
