Re: provide latest OS root certificates via port?

2021-11-01 Thread Richard L. Hamilton 



> On Nov 1, 2021, at 03:12, raf  wrote:
> 
> On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users 
>  wrote:
> 
>> I see that I already have the latest ISRG Root X1 certificate in the
>> System Roots keychain, so not sure why I would need to add it to my
>> System keychain.
> 
> It doesn't sound sensible, does it? I followed those instructions,
> then added it to System Roots because it hadn't changed anything,
> only to discover (on 10.6) that only TLSv1.0 was supported by the
> system-supplied software so things wouldn't work anyway.
> 
> I still don't understand why /usr/bin/curl isn't working for me on
> 10.14 but Safari is.

/usr/bin/curl (also?) uses /etc/ssl/cert.pem file. Copy that file to 
/etc/ssl/cert.pem.orig as a backup and look around line 1130 for the following:

### Digital Signature Trust Co.

=== /O=Digital Signature Trust Co./CN=DST Root CA X3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
Signature Algorithm: sha1WithRSAEncryption
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE 
X509v3 Key Usage: critical
Certificate Sign, CRL Sign 
X509v3 Subject Key Identifier:
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
SHA256 
Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
-BEGIN CERTIFICATE-


Remove from there (if it is line 1130) to the matching
-END CERTIFICATE-
line in /etc/ssl/cert.pem (around 1171) and that gets rid of the expired X3 
cert that doesn't really need to be in the certificate chain. After that,
/opt/local/libexec/mpstats submit
works for me on 10.14. Still doesn't help with what's presumably the TLS 
problem on older versions (10.6.8 being the only older version I have 
available, so I don't know just what version is the cutoff for that problem).

Re: provide latest OS root certificates via port?

2021-11-01 Thread Al Varnell via macports-users 
Sent from my iPad

On Nov 1, 2021, at 00:12, raf  wrote:
>> And when I went to https://letsencrypt.org/certs/isrgrootx1.pem
>> to download, it showed up as a .cer instead of a .pem.
>> 
>> -Al-
> 
> That file is in PEM format.
> Is it just the filename suffix that is of concern, or the format?

Yes, I would expect a direct link to download a file would download a file with 
that exact file name, including suffix.

> i.e. does it start with "-BEGIN CERTIFICATE-"?
> If so, it can be renamed to isrgrootx1.pem (but it might not matter).

No, it's name was isrgrootx1.cer

> cheers,
> raf

I really have no need for it since the fully up-to-date certificate was already 
installed on my Mac. Just pointing that out along with the strangeness with the 
suffix.

-Al-

Re: provide latest OS root certificates via port?

2021-11-01 Thread raf 
On Mon, Nov 01, 2021 at 08:13:14AM +0100, Henning Hraban Ramm  
wrote:

> 
> > Am 01.11.2021 um 00:32 schrieb raf :
> > 
> > On Sun, Oct 31, 2021 at 11:46:46AM +0100, Henning Hraban Ramm 
> >  wrote:
> >> 
> >> I’m working on a 2013 Mac mini and can’t upgrade further than 10.14 (don’t 
> >> want to loose my 32 bit software, and I seem too stupid for VMs).
> >> (I also just upgraded a 2010 Thinkpad Edge with a SSD and current Ubuntu, 
> >> but that’s a different story.)
> >> 
> >>> Is anyone else on old systems
> >>> able to run "/opt/local/libexec/mpstats submit"? I read somewhere that 
> >>> errors
> >>> are silently ignored during automatic submission.
> >> 
> >> It’s not installed. To which port does the command belong?
> > 
> > It's the "mpstats" port.
> 
> I could have guessed. Actually I tried "port search", and nothing turned up – 
> today it did. Probably I mistyped.
> 
> $ /opt/local/libexec/mpstats submit
> Submitting data to https://ports.macports.org/statistics/submit/ ...
> Error: Peer certificate cannot be authenticated with given CA certificates
> while executing
> "curl post "submission\[data\]=$json" $stats_url"
> 
> So I can confirm the issue on 10.4, even after installing the ISRG Root 
> certificate in the System keychain.
> 
> Sláinte,
> Hraban

I would have thought it would be a TLS version problem,
rather than, a certificate problem, but it does mention
the certificates.

cheers,
raf

Re: provide latest OS root certificates via port?

2021-11-01 Thread Henning Hraban Ramm 

> Am 01.11.2021 um 00:32 schrieb raf :
> 
> On Sun, Oct 31, 2021 at 11:46:46AM +0100, Henning Hraban Ramm 
>  wrote:
>> 
>> I’m working on a 2013 Mac mini and can’t upgrade further than 10.14 (don’t 
>> want to loose my 32 bit software, and I seem too stupid for VMs).
>> (I also just upgraded a 2010 Thinkpad Edge with a SSD and current Ubuntu, 
>> but that’s a different story.)
>> 
>>> Is anyone else on old systems
>>> able to run "/opt/local/libexec/mpstats submit"? I read somewhere that 
>>> errors
>>> are silently ignored during automatic submission.
>> 
>> It’s not installed. To which port does the command belong?
> 
> It's the "mpstats" port.

I could have guessed. Actually I tried "port search", and nothing turned up – 
today it did. Probably I mistyped.

$ /opt/local/libexec/mpstats submit
Submitting data to https://ports.macports.org/statistics/submit/ ...
Error: Peer certificate cannot be authenticated with given CA certificates
while executing
"curl post "submission\[data\]=$json" $stats_url"

So I can confirm the issue on 10.4, even after installing the ISRG Root 
certificate in the System keychain.

Sláinte,
Hraban


signature.asc
Description: Message signed with OpenPGP

Re: provide latest OS root certificates via port?

2021-11-01 Thread raf 
On Sat, Oct 30, 2021 at 05:49:11AM -0700, Al Varnell via macports-users 
 wrote:

> I see that I already have the latest ISRG Root X1 certificate in the
> System Roots keychain, so not sure why I would need to add it to my
> System keychain.

It doesn't sound sensible, does it? I followed those instructions,
then added it to System Roots because it hadn't changed anything,
only to discover (on 10.6) that only TLSv1.0 was supported by the
system-supplied software so things wouldn't work anyway.

I still don't understand why /usr/bin/curl isn't working for me on
10.14 but Safari is.

> And when I went to https://letsencrypt.org/certs/isrgrootx1.pem
> to download, it showed up as a .cer instead of a .pem.
> 
> -Al-

That file is in PEM format.
Is it just the filename suffix that is of concern, or the format?
i.e. does it start with "-BEGIN CERTIFICATE-"?
If so, it can be renamed to isrgrootx1.pem (but it might not matter).

If you have a binary file in DER format, it can be converted to PEM format:

  openssl x509 -inform der -outform pem -in file.der -out file.pem

Or just download the PEM version. They have both available.

cheers,
raf

> > On Oct 29, 2021, at 10:25 PM, Michael  > > wrote:
> > 
> > So I found this advice online for updating certs without having to worry 
> > about trusting expired old certs.
> > 
> > 1. Visit https://letsencrypt.org/certs/isrgrootx1.pem to download the 
> > certificate, and save it in the Documents folder.
> > 
> > 2. Open Terminal, paste this command, and press enter:
> > 
> > sudo security -v add-trusted-cert -d -r trustRoot -k 
> > "/Library/Keychains/System.keychain" ~/Documents/isrgrootx1.pem
> > 
> > This eliminates the need for marking the expired DST root as special-case 
> > trusted.
>