Re: authentication errors on 'make fetchindex' in /usr/ports

2020-12-03 Thread John Kennedy 
On Thu, Dec 03, 2020 at 04:57:53PM -0600, Bob Willcox wrote:
> I am trying to upgrade a 12.1-stable system installed back in July to 
> 12.2-stable.
> I downloaded the new ports hierarchy and now when I attempt to run 'make 
> fetchindex'
> I get these errors:
> 
> /usr/bin/env  fetch -am -o /usr/ports/INDEX-12.bz2 
> https://www.FreeBSD.org/ports/INDEX-12.bz2
> Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
> Authority X3
> 546533376:error:1416F086:SSL 
> routines:tls_process_server_certificate:certificate verify 
> failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
> fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error
> Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
> Authority X3
> 546533376:error:1416F086:SSL 
> routines:tls_process_server_certificate:certificate verify 
> failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
> 
> Can someone help?

Can you run the command by hand?  I can, although I'm using:

12.2-RELEASE-p1 r368257+2ab1386b6891(releng/12.2).

I seem to recall some work on the certificate repository pre 12.2-RELEASE, so
you might be stuck in a weird spot.

If I do this little bit of uglyness, we can see some details:

openssl s_client -showcerts -connect www.freebsd.org:https < /dev/null 
| \
  perl -ne '(/-BEGIN CERTIFICATE-/../-END 
CERTIFICATE-/) && print' | \
while read LINE;
  do
case "$LINE" in
  "-BEGIN CERTIFICATE-")  CERT="$LINE";;
  "-END CERTIFICATE-")echo -e "$CERT\n$LINE" | 
openssl x509 -text -noout;;
  *)  CERT="$CERT\n$LINE";;
esac
  done | \
grep -E '^Certificate:|Not|Issuer:|Subject:'

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.freebsd.org
verify return:1
DONE

Certificate:
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority 
X3
Not Before: Oct 17 20:36:10 2020 GMT
Not After : Jan 15 20:36:10 2021 GMT
Subject: CN = www.freebsd.org
Certificate:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt 
Authority X3

So, do you have the glue for the current Let's Encrypt root in your store?
As I recall, that had some intermediate cross-signing stuff expire recently.
Doesn't seem like it would be an issue here.

openssl x509 -text < /usr/share/certs/trusted/DST_Root_CA_X3.pem | \
grep -E '^Certificate:|Not|Issuer:|Subject:'

Certificate:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3

As a one-off, fetch has the --no-verify-hostname and --no-verify-peer options,
but you'll probably want to update your system past a bad store since there
are probably a bunch of Let's Encrypt certs out there these days.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: authentication errors on 'make fetchindex' in /usr/ports

2020-12-03 Thread Sean C. Farley 

On Thu, 3 Dec 2020, Bob Willcox wrote:

I am trying to upgrade a 12.1-stable system installed back in July to 
12.2-stable.  I downloaded the new ports hierarchy and now when I 
attempt to run 'make fetchindex'

I get these errors:

/usr/bin/env  fetch -am -o /usr/ports/INDEX-12.bz2 
https://www.FreeBSD.org/ports/INDEX-12.bz2
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
Authority X3
546533376:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
Authority X3
546533376:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:

Can someone help?

Thanks,
Bob


That looks like you need to run certctl(8):  certctl rehash.

This is the commit that brought it into 11-STABLE and 12-STABLE: 
https://svnweb.freebsd.org/base?view=revision&revision=357082


However, I recommend reading the man page for it first in case you have 
cert hashes already in a place like /etc/ssl/certs.  It took me a bit by 
surprise because my hashes that were linked from a separate directory 
were removed.


Sean
--
s...@freebsd.org
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

authentication errors on 'make fetchindex' in /usr/ports

2020-12-03 Thread Bob Willcox 
I am trying to upgrade a 12.1-stable system installed back in July to 
12.2-stable.
I downloaded the new ports hierarchy and now when I attempt to run 'make 
fetchindex'
I get these errors:

/usr/bin/env  fetch -am -o /usr/ports/INDEX-12.bz2 
https://www.FreeBSD.org/ports/INDEX-12.bz2
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
Authority X3
546533376:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.FreeBSD.org/ports/INDEX-12.bz2: Authentication error
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt 
Authority X3
546533376:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:

Can someone help?

Thanks,
Bob

-- 
Bob Willcox| It's possible that the whole purpose of your life is to
b...@immure.com | serve as a warning to others.
Austin, TX |
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"