Re: port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

[Kastus Shchuka]

> On Nov 6, 2021, at 7:53 PM, André-John Mas  wrote:
> 
> Does it make a difference if you test via sudo or your own user login?
> 

Well, it won't work as regular user. Regular user does not have write 
permissions to /opt/local tree.

On the other hand, it's plain dumb why it works for me. As you can see below, 
org.macports.fetch does not use HTTPS, it downloads over HTTP. Certificates are 
just irrelevant for that.

I am not sure what part of macports.conf controls protocol for fetch, I have 
not modified that file since 2017. (I guess I should have done it). I looked at 
the diff between my macports.conf and macports.conf.default from May 2021, and 
I don't see anything with regards to http/https. I must be missing something 
there.

Thanks,

Kastus

> André-John
> 
> Sent from my phone. Envoyé depuis mon téléphone. 
> 
>> On 06 Nov 2021, at 22:08, Kastus Shchuka  wrote:
>> 
>> Something does not add up here.
>> 
>> High Sierra is older than Mojave, right? I can fetch sources of nsd on High 
>> Sierra without any problems:
>> 
>> $ sudo port -d fetch nsd
>> DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to 
>> /opt/local/var/macports/home/Library/Preferences
>> DEBUG: Changing to port directory: 
>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd
>> DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386
>> DEBUG: adding the default universal variant
>> DEBUG: Reading variant descriptions from 
>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf
>> DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
>> DEBUG: Finished running callback 
>> portconfigure::add_automatic_compiler_dependencies
>> DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
>> DEBUG: Finished running callback 
>> portbuild::add_automatic_buildsystem_dependencies
>> DEBUG: Running callback portstartupitem::add_notes
>> DEBUG: Finished running callback portstartupitem::add_notes
>> DEBUG: Attempting ln -sf 
>> /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work
>>  
>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
>> DEBUG: Starting logging for nsd @4.2.1_2
>> DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386
>> DEBUG: MacPorts 2.7.1
>> DEBUG: Xcode 9.4.1
>> DEBUG: SDK 10.13
>> DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13
>> DEBUG: Executing org.macports.main (nsd)
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
>> DEBUG: fetch phase started at Sat Nov  6 19:00:42 PDT 2021
>> --->  Fetching distfiles for nsd
>> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
>> DEBUG: Executing org.macports.fetch (nsd)
>> --->  nsd-4.2.1.tar.gz does not exist in 
>> /opt/local/var/macports/distfiles/nsd
>> --->  Attempting to fetch nsd-4.2.1.tar.gz from 
>> http://distfiles.macports.org/nsd
>> % Total% Received % Xferd  Average Speed   TimeTime Time  Current
>>Dload  Upload   Total   SpentLeft  Speed
>> 100 1118k  100 1118k0 0  3557k  0 --:--:-- --:--:-- --:--:-- 
>> 3563k
>> $ ls -l /opt/local/var/macports/distfiles/nsd
>> total 2240
>> -rw-r--r--  1 macports  wheel  1145713 Nov  6 19:00 nsd-4.2.1.tar.gz
>> 
>> I have MacPorts installed from a package, I did not build it, so it is 
>> pretty much standard. Neither I did anything to the system certificate chain.
>> 
>>> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt  wrote:
>>> 
>>> 
>>> 
 On Nov 6, 2021, at 05:39, Gerben Wierda wrote:
 
 I was looking at updating nsd (for which I am maintaining and it is high 
 time)
 
 But fetching failed on macOS Mojave (where I have my MacPorts setup).
 
 :debug:fetch Executing org.macports.fetch (nsd)
 :info:fetch --->  nsd-4.3.8.tar.gz does not exist in 
 /opt/local/var/macports/distfiles/nsd
 :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from 
 https://www.nlnetlabs.nl/downloads/nsd/
 :debug:fetch Fetching distfile failed: SSL certificate problem: 
 certificate has expired
 
 Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is 
 the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port 
 fetch on Catalina, and there it works and the distribution is downloaded.
 
 It is strange, though, because Safari on both Catalina (other machine) and 
 Mojave say the cert is fine. Still, it is most likely that this is a 
 problem that comes from still using Mojave.
 
 Updating that machine will not happen until late December, so if I am to 
 maintain anything MacPorts, I 

Re: port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

[André-John Mas]

Does it make a difference if you test via sudo or your own user login?

André-John

Sent from my phone. Envoyé depuis mon téléphone. 

> On 06 Nov 2021, at 22:08, Kastus Shchuka  wrote:
> 
> Something does not add up here.
> 
> High Sierra is older than Mojave, right? I can fetch sources of nsd on High 
> Sierra without any problems:
> 
> $ sudo port -d fetch nsd
> DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to 
> /opt/local/var/macports/home/Library/Preferences
> DEBUG: Changing to port directory: 
> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd
> DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386
> DEBUG: adding the default universal variant
> DEBUG: Reading variant descriptions from 
> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf
> DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
> DEBUG: Finished running callback 
> portconfigure::add_automatic_compiler_dependencies
> DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
> DEBUG: Finished running callback 
> portbuild::add_automatic_buildsystem_dependencies
> DEBUG: Running callback portstartupitem::add_notes
> DEBUG: Finished running callback portstartupitem::add_notes
> DEBUG: Attempting ln -sf 
> /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work
>  
> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: Starting logging for nsd @4.2.1_2
> DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386
> DEBUG: MacPorts 2.7.1
> DEBUG: Xcode 9.4.1
> DEBUG: SDK 10.13
> DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13
> DEBUG: Executing org.macports.main (nsd)
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: fetch phase started at Sat Nov  6 19:00:42 PDT 2021
> --->  Fetching distfiles for nsd
> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
> DEBUG: Executing org.macports.fetch (nsd)
> --->  nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
> --->  Attempting to fetch nsd-4.2.1.tar.gz from 
> http://distfiles.macports.org/nsd
>  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
> Dload  Upload   Total   SpentLeft  Speed
> 100 1118k  100 1118k0 0  3557k  0 --:--:-- --:--:-- --:--:-- 3563k
> $ ls -l /opt/local/var/macports/distfiles/nsd
> total 2240
> -rw-r--r--  1 macports  wheel  1145713 Nov  6 19:00 nsd-4.2.1.tar.gz
> 
> I have MacPorts installed from a package, I did not build it, so it is pretty 
> much standard. Neither I did anything to the system certificate chain.
> 
>> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt  wrote:
>> 
>> 
>> 
>>> On Nov 6, 2021, at 05:39, Gerben Wierda wrote:
>>> 
>>> I was looking at updating nsd (for which I am maintaining and it is high 
>>> time)
>>> 
>>> But fetching failed on macOS Mojave (where I have my MacPorts setup).
>>> 
>>> :debug:fetch Executing org.macports.fetch (nsd)
>>> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in 
>>> /opt/local/var/macports/distfiles/nsd
>>> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from 
>>> https://www.nlnetlabs.nl/downloads/nsd/
>>> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate 
>>> has expired
>>> 
>>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is 
>>> the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port 
>>> fetch on Catalina, and there it works and the distribution is downloaded.
>>> 
>>> It is strange, though, because Safari on both Catalina (other machine) and 
>>> Mojave say the cert is fine. Still, it is most likely that this is a 
>>> problem that comes from still using Mojave.
>>> 
>>> Updating that machine will not happen until late December, so if I am to 
>>> maintain anything MacPorts, I need a fix to get this working again.
>>> 
>>> I have tried using curl on the Mojave machine, and that one works.
>>> 
>>> So, Safari works, curl works, but port does not work.
>>> 
>>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that 
>>> doesn’t work either.
>> 
>> This is the "Let's Encrypt's old root certificate expired" problem described 
>> here:
>> 
>> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt
>> 
>> When you said "curl works but port does not work" that's not quite right. 
>> /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and 
>> /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not 
>> work for Let's Encrypt-protected sites anymore.
>> 
>> I, on High Sierra, have the same issue, and I have 

Re: port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

[Kastus Shchuka]

Something does not add up here.

High Sierra is older than Mojave, right? I can fetch sources of nsd on High 
Sierra without any problems:

$ sudo port -d fetch nsd
DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to 
/opt/local/var/macports/home/Library/Preferences
DEBUG: Changing to port directory: 
/opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd
DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386
DEBUG: adding the default universal variant
DEBUG: Reading variant descriptions from 
/opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf
DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
DEBUG: Finished running callback 
portconfigure::add_automatic_compiler_dependencies
DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
DEBUG: Finished running callback 
portbuild::add_automatic_buildsystem_dependencies
DEBUG: Running callback portstartupitem::add_notes
DEBUG: Finished running callback portstartupitem::add_notes
DEBUG: Attempting ln -sf 
/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work
 
/opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: Starting logging for nsd @4.2.1_2
DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386
DEBUG: MacPorts 2.7.1
DEBUG: Xcode 9.4.1
DEBUG: SDK 10.13
DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13
DEBUG: Executing org.macports.main (nsd)
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: fetch phase started at Sat Nov  6 19:00:42 PDT 2021
--->  Fetching distfiles for nsd
DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
DEBUG: dropping privileges: euid changed to 504, egid changed to 20.
DEBUG: Executing org.macports.fetch (nsd)
--->  nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
--->  Attempting to fetch nsd-4.2.1.tar.gz from 
http://distfiles.macports.org/nsd
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100 1118k  100 1118k0 0  3557k  0 --:--:-- --:--:-- --:--:-- 3563k
$ ls -l /opt/local/var/macports/distfiles/nsd
total 2240
-rw-r--r--  1 macports  wheel  1145713 Nov  6 19:00 nsd-4.2.1.tar.gz

I have MacPorts installed from a package, I did not build it, so it is pretty 
much standard. Neither I did anything to the system certificate chain.

> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt  wrote:
> 
> 
> 
> On Nov 6, 2021, at 05:39, Gerben Wierda wrote:
> 
>> I was looking at updating nsd (for which I am maintaining and it is high 
>> time)
>> 
>> But fetching failed on macOS Mojave (where I have my MacPorts setup).
>> 
>> :debug:fetch Executing org.macports.fetch (nsd)
>> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in 
>> /opt/local/var/macports/distfiles/nsd
>> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from 
>> https://www.nlnetlabs.nl/downloads/nsd/
>> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate 
>> has expired
>> 
>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is 
>> the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port 
>> fetch on Catalina, and there it works and the distribution is downloaded.
>> 
>> It is strange, though, because Safari on both Catalina (other machine) and 
>> Mojave say the cert is fine. Still, it is most likely that this is a problem 
>> that comes from still using Mojave.
>> 
>> Updating that machine will not happen until late December, so if I am to 
>> maintain anything MacPorts, I need a fix to get this working again.
>> 
>> I have tried using curl on the Mojave machine, and that one works.
>> 
>> So, Safari works, curl works, but port does not work.
>> 
>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that 
>> doesn’t work either.
> 
> This is the "Let's Encrypt's old root certificate expired" problem described 
> here:
> 
> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt
> 
> When you said "curl works but port does not work" that's not quite right. 
> /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and 
> /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not 
> work for Let's Encrypt-protected sites anymore.
> 
> I, on High Sierra, have the same issue, and I have no solution for you. This 
> issue affects High Sierra and Mojave. I recommend upgrading to Catalina or 
> later; I plan to eventually.
> 
> Well, you could rebuild MacPorts from source, instructing it to use a newer 
> copy of libcurl with a newer copy of openssl or libressl that has a newer 
> certificate bundle. For example, install a 

Re: provide latest OS root certificates via port?

[raf]

On Fri, Nov 05, 2021 at 09:11:25PM -0400, "Richard L. Hamilton" 
 wrote:

> mpstats uses (by default the OS version of) libcurl (which you don't
> want to replace like that!) and not the executable, which is why
> what you tried didn't work (didn't work for me either when I'd tried
> earlier).
> 
> As things stand, one would have to get the MacPorts source (not a
> port!) and build it with an option to use its own version of curl /
> libcurl. Or so someone explained in response to a comment I'd made on
> a ticket about mpstats.

Thanks. It sounds like something that would be best
solved by a new version of MacPorts itself, so as to
solve the problem for all users with old systems.

cheers,
raf

Re: provide latest OS root certificates via port?

[raf]

On Sat, Nov 06, 2021 at 01:09:50AM +, Christopher Jones 
 wrote:

> 
> > 
> > Unfortunately, mpstats submit still doesn't work on 10.6.8,
> > even with /usr/bin/curl replaced with a symlink to
> > /opt/local/bin/curl. I don't understand that.
> > /usr/bin/curl https://ports.macports.org works there with
> > the symlink in place.
> 
> mpstat doesn’t use the command line curl utility, so that change will have no 
> impact on it.

Thanks.

> it uses the libcurl support compiled into macports base, which
> defaults to using the system curl. To change that you need to rebuild
> base against an updated lib curl.

Is that something that can be made to happen for all users by the creation
of a new version of something (e.g., tclsh or whatever is linking against
that library)?

> Chris

cheers,
raf

Re: port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

[Ryan Schmidt]

On Nov 6, 2021, at 05:39, Gerben Wierda wrote:

> I was looking at updating nsd (for which I am maintaining and it is high time)
> 
> But fetching failed on macOS Mojave (where I have my MacPorts setup).
> 
> :debug:fetch Executing org.macports.fetch (nsd)
> :info:fetch --->  nsd-4.3.8.tar.gz does not exist in 
> /opt/local/var/macports/distfiles/nsd
> :notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from 
> https://www.nlnetlabs.nl/downloads/nsd/
> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate 
> has expired
> 
> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is 
> the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port 
> fetch on Catalina, and there it works and the distribution is downloaded.
> 
> It is strange, though, because Safari on both Catalina (other machine) and 
> Mojave say the cert is fine. Still, it is most likely that this is a problem 
> that comes from still using Mojave.
> 
> Updating that machine will not happen until late December, so if I am to 
> maintain anything MacPorts, I need a fix to get this working again.
> 
> I have tried using curl on the Mojave machine, and that one works.
> 
> So, Safari works, curl works, but port does not work.
> 
> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that 
> doesn’t work either.

This is the "Let's Encrypt's old root certificate expired" problem described 
here:

https://trac.macports.org/wiki/ProblemHotlist#letsencrypt

When you said "curl works but port does not work" that's not quite right. 
/opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and 
/usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not 
work for Let's Encrypt-protected sites anymore.

I, on High Sierra, have the same issue, and I have no solution for you. This 
issue affects High Sierra and Mojave. I recommend upgrading to Catalina or 
later; I plan to eventually.

Well, you could rebuild MacPorts from source, instructing it to use a newer 
copy of libcurl with a newer copy of openssl or libressl that has a newer 
certificate bundle. For example, install a bootstrap copy of MacPorts in a 
separate prefix, install curl in that prefix, then rebuild your primary 
MacPorts from source, telling it to use the libcurl in the separate prefix. Any 
future upgrades to MacPorts base probably also have to be done from source; 
using "sudo port selfupdate" will not preserve your configure arguments and 
you'll be back to using the System's broken libcurl again.

port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

[Gerben Wierda via macports-users]

I was looking at updating nsd (for which I am maintaining and it is high time)

But fetching failed on macOS Mojave (where I have my MacPorts setup).

:debug:fetch Executing org.macports.fetch (nsd)
:info:fetch --->  nsd-4.3.8.tar.gz does not exist in 
/opt/local/var/macports/distfiles/nsd
:notice:fetch --->  Attempting to fetch nsd-4.3.8.tar.gz from 
https://www.nlnetlabs.nl/downloads/nsd/ 

:debug:fetch Fetching distfile failed: SSL certificate problem: certificate has 
expired

Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is the 
Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port fetch on 
Catalina, and there it works and the distribution is downloaded.

It is strange, though, because Safari on both Catalina (other machine) and 
Mojave say the cert is fine. Still, it is most likely that this is a problem 
that comes from still using Mojave.

Updating that machine will not happen until late December, so if I am to 
maintain anything MacPorts, I need a fix to get this working again.

I have tried using curl on the Mojave machine, and that one works.

So, Safari works, curl works, but port does not work.

I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that doesn’t 
work either.

Gerben Wierda (LinkedIn )
R Enterprise Architecture  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 

Re: provide latest OS root certificates via port?

[Gerben Wierda via macports-users]

> On 29 Oct 2021, at 17:09, Bill Cole 
>  wrote:
> 
> Yes: Anyone running Mojave or earlier is not exactly skydiving without a 
> parachute, but is doing something close. Perhaps it's akin to skydiving with 
> a homemade parachute…


To be fair: given that Apple does not announce life cycle for older OS 
versions, they simply stop sending out security patches and you only find out 
ofter the fact, people running Mojave are in a slightly different situation.

It only became clear very recently that Apple had in fact stopped supporting 
Mojave because there was no Mojave version of the most recent security patch. 
And while they stop sending out security patches, they do send out updated 
Safari versions for instance, in other words, it is a bit of a mixed message.

G