Re: authentication errors on 'make fetchindex' in /usr/ports
On Thu, Dec 03, 2020 at 04:57:53PM -0600, Bob Willcox wrote: > I am trying to upgrade a 12.1-stable system installed back in July to > 12.2-stable. > I downloaded the new ports hierarchy and now when I attempt to run 'make > fetchindex' > I get these errors: > > /usr/bin/env fetch -am -o /usr/ports/INDEX-12.bz2 > https://www.FreeBSD.org/ports/INDEX-12.bz2 > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority X3 > 546533376:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: > fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority X3 > 546533376:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: > > Can someone help? Can you run the command by hand? I can, although I'm using: 12.2-RELEASE-p1 r368257+2ab1386b6891(releng/12.2). I seem to recall some work on the certificate repository pre 12.2-RELEASE, so you might be stuck in a weird spot. If I do this little bit of uglyness, we can see some details: openssl s_client -showcerts -connect www.freebsd.org:https < /dev/null | \ perl -ne '(/-BEGIN CERTIFICATE-/../-END CERTIFICATE-/) && print' | \ while read LINE; do case "$LINE" in "-BEGIN CERTIFICATE-") CERT="$LINE";; "-END CERTIFICATE-")echo -e "$CERT\n$LINE" | openssl x509 -text -noout;; *) CERT="$CERT\n$LINE";; esac done | \ grep -E '^Certificate:|Not|Issuer:|Subject:' depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.freebsd.org verify return:1 DONE Certificate: Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Not Before: Oct 17 20:36:10 2020 GMT Not After : Jan 15 20:36:10 2021 GMT Subject: CN = www.freebsd.org Certificate: Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Not Before: Mar 17 16:40:46 2016 GMT Not After : Mar 17 16:40:46 2021 GMT Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 So, do you have the glue for the current Let's Encrypt root in your store? As I recall, that had some intermediate cross-signing stuff expire recently. Doesn't seem like it would be an issue here. openssl x509 -text < /usr/share/certs/trusted/DST_Root_CA_X3.pem | \ grep -E '^Certificate:|Not|Issuer:|Subject:' Certificate: Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 As a one-off, fetch has the --no-verify-hostname and --no-verify-peer options, but you'll probably want to update your system past a bad store since there are probably a bunch of Let's Encrypt certs out there these days. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: authentication errors on 'make fetchindex' in /usr/ports
On Thu, 3 Dec 2020, Bob Willcox wrote: I am trying to upgrade a 12.1-stable system installed back in July to 12.2-stable. I downloaded the new ports hierarchy and now when I attempt to run 'make fetchindex' I get these errors: /usr/bin/env fetch -am -o /usr/ports/INDEX-12.bz2 https://www.FreeBSD.org/ports/INDEX-12.bz2 Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Can someone help? Thanks, Bob That looks like you need to run certctl(8): certctl rehash. This is the commit that brought it into 11-STABLE and 12-STABLE: https://svnweb.freebsd.org/base?view=revision&revision=357082 However, I recommend reading the man page for it first in case you have cert hashes already in a place like /etc/ssl/certs. It took me a bit by surprise because my hashes that were linked from a separate directory were removed. Sean -- s...@freebsd.org ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
authentication errors on 'make fetchindex' in /usr/ports
I am trying to upgrade a 12.1-stable system installed back in July to 12.2-stable. I downloaded the new ports hierarchy and now when I attempt to run 'make fetchindex' I get these errors: /usr/bin/env fetch -am -o /usr/ports/INDEX-12.bz2 https://www.FreeBSD.org/ports/INDEX-12.bz2 Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 546533376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Can someone help? Thanks, Bob -- Bob Willcox| It's possible that the whole purpose of your life is to b...@immure.com | serve as a warning to others. Austin, TX | ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: 12-STABLE try to init thead-using libraries before threads and program crashes
On 27.11.2020 20:03, Konstantin Belousov wrote: libthr is cleanly linked too early, it should come after all consumers. Anyway, try this. diff --git a/lib/libthr/thread/thr_mutex.c b/lib/libthr/thread/thr_mutex.c index 57984ef6d0e..303386db7fe 100644 --- a/lib/libthr/thread/thr_mutex.c +++ b/lib/libthr/thread/thr_mutex.c @@ -384,6 +384,8 @@ __Tthr_mutex_init(pthread_mutex_t * __restrict mutex, struct pthread_mutex *pmtx; int ret; + _thr_check_init(); + if (mutex_attr != NULL) { ret = mutex_check_attr(*mutex_attr); if (ret != 0) It helps! -- // Lev Serebryakov ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"