On 2021-09-30, Sebastian Benoit wrote:
> An errata patch for LibreSSL has been released for OpenBSD 6.8 and
> OpenBSD 6.9.
>
> Compensate for the expiry of the DST Root X3 certificate. The use of an
> unnecessary expired certificate in certificate chains can cause validation
> errors.
>
> Binary updates for the amd64, i386 and arm64 platform are available
> via the syspatch utility. Source code patches can be found on the
> respective errata page:
>
> https://www.openbsd.org/errata68.html
> https://www.openbsd.org/errata69.html
>
>
Note: you may have issues fetching the syspatches from your regular
mirror due to this issue.
Try fetching it normally first, as a number of mirrors are either
unaffected, or have a workaround on the server side, but if that fails
you have two options:
- edit /etc/installurl to allow you to fetch the syspatches. Either
switch https to http (the updates are signed and verified anyway), or
use another mirror (including ftp.usa.openbsd.org, ftp.hostserver.de,
cdn.openbsd.org).
- locate the expired certificate in /etc/ssl/cert.pem and remove it, it
is the one with this in the header above:
=== /O=Digital Signature Trust Co./CN=DST Root CA X3
If you're able to install the syspatch anyway (syspatch69-018_cert.tgz
or syspatch68-032_cert.tgz) then you don't need either of the above
steps.
