Re: Problems with sites using Let's Encrypt certificates
On Thu, Oct 14, 2021 at 03:19:50AM -0400, Pierre Abbat wrote: > On Wednesday, October 13, 2021 8:40:11 PM EDT James Cook wrote: > > - If you upgrade to DragonflyBSD 6.0.1, the problem will go away. See > > > > https://www.dragonflydigest.com/2021/10/13/26267.html > > I'm running 6.1.0.3. Should I upgrade to the latest master? > > Pierre On master, I think this is the commit where it got fixed, dated Oct 1: https://gitweb.dragonflybsd.org/dragonfly.git/commit/a8c12d712d94f2b0a5770db307512179706bad0c So if you last upgraded before that, that will probably fix it for you. -- James
Re: Problems with sites using Let's Encrypt certificates
On Wednesday, October 13, 2021 8:40:11 PM EDT James Cook wrote: > - If you upgrade to DragonflyBSD 6.0.1, the problem will go away. See > > https://www.dragonflydigest.com/2021/10/13/26267.html I'm running 6.1.0.3. Should I upgrade to the latest master? Pierre -- li ze te'a ci vu'u ci bi'e te'a mu du li ci su'i ze te'a mu bi'e vu'u ci
Re: Problems with sites using Let's Encrypt certificates
> I remain puzzled, however, why the mirror-master.dragonflybsd.org site > could have had an expired Web certificate for the last two weeks > without manual repair and reports on this list that first appeared on > 30-Sep-2021, the day the certificate expired. This sounds like a known issue with LetsEncrypt and dfly 6.0.0's version of LibreSSL. Assuming that's the case, here's a summary: - No, the certificate is not out of date. - Your client doesn't like the certificate chain presented by the server because the last certificate in the chain has expired. - Most clients (including newer versions of LibreSSL) accept the chain because the second-last certificate in a chain is actually a root certificate. So, the last one can be ignored. - If you upgrade to DragonflyBSD 6.0.1, the problem will go away. See https://www.dragonflydigest.com/2021/10/13/26267.html - LetsEncrypt is still including that expired certificate at the end of the chain in order to maintain compatibility with older versions of Android. I guess those Android versions don't trust that second-last cert, and have an exception so they trust the last cert in the chain beyond its normal lifetime. -- James
Re: Problems with sites using Let's Encrypt certificates
Thanks to help from my colleague who is a network expert, the failure
of "pkg install pkg" on my new DragonFlyBSD 6.0 VM has been resolved.
Here is what on saw repeatedly over the last two weeks:
# pkg install pkg
Updating Avalon repository catalogue...
Certificate verification failed for /O=Digital Signature Trust
Co./CN=DST Root CA X3
...
Here is what we did to diagnose and workaround the failure:
(1) On another machine, check the certificates on the DragonFlyBSD master site:
% openssl s_client -connect mirror-master.dragonflybsd.org:443
-showcerts
CONNECTED(0003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
... long output ...
I'm advised that such certificates expire in about 90 days, and
then renew automatically, so by the end of December, my VM might
finally be usable. That is hardly acceptable.
(2) On the VM running the new 6.0 release, look at this file:
% less /usr/local/etc/pkg/repos/df-latest.conf
# If multiple repositories are enabled, they are ordered by their
priorities
# and then listing orders.
# United States, California
Avalon: {
url :
https://mirror-master.dragonflybsd.org/dports/${ABI}/LATEST,
mirror_type : NONE,
signature_type : NONE,
pubkey : NONE,
fingerprints: /usr/share/fingerprints,
priority: 0,
enabled : yes
}
There are 31 mirror sites listed, but all but the first have "enabled: no".
(3) Use step (1) above to check the certificates of `nearby' mirrors
successively until finding that mirrors.nycbug.org has a
still-valid certificate.
(4) Set "enabled: no" in the df-latest.conf file for
mirror-master.dragonflybsd.org
and "enabled: yes" for mirrors.nycbug.org.
(5) Run
# pkg install pkg
success
# pkg install ... many more
My VM is now usable, and up to date.
I remain puzzled, however, why the mirror-master.dragonflybsd.org site
could have had an expired Web certificate for the last two weeks
without manual repair and reports on this list that first appeared on
30-Sep-2021, the day the certificate expired.
194) 30-Sep Antonio Huete = Problems with sites using Let's Encrypt
certificates (9820 chars)
195) 30-Sep Antonio Huete = Re: Problems with sites using Let's Encrypt
certificates (10187 chars)
197) 1-Oct =?UTF-8?B?SsOhd Re: Problems with sites using Let's Encrypt
certificates (20573 chars)
198) 6-Oct "Nelson H. F. B Re: Problems with sites using Let's Encrypt
certificates (2526 chars)
199) 6-Oct Phansi Re: Problems with sites using Let's Encrypt
certificates (12079 chars)
200) 6-Oct Antonio Huete = Re: Problems with sites using Let's Encrypt
certificates (11948 chars)
Also, if the df-latest.conf file had 2 or 3 sites with "enabled: yes",
then I expect that the pkg command might have retried on multiple
sites to finding a working mirror. In the Linux world, I've seen
package installer try another mirror if one is unreachable.
---
- Nelson H. F. BeebeTel: +1 801 581 5254 -
- University of UtahFAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu -
- 155 S 1400 E RM 233 be...@acm.org be...@computer.org -
- Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ -
---
Re: Problems with sites using Let's Encrypt certificates
> Antonio reports about the certificate verification problem > for the DragonFlyBSD package system: > > >> There is a fix already available, please check: > >> > >> https://lists.dragonflybsd.org/pipermail/users/2021-October/404826.html Thanks for this, I overlooked this message. This worked. > I saw that response when it was originally posted, but I have a newly > installed VM with no working package system, and no interest in > building kernels or anything else on DragonFlyBSD from remote source > code repositories. What does > > >> Only a 'world' upgrade is needed, please proceed with the usual > >> procedure > > mean in my context? The phrase "world" does not exist in the output > of "man pkg". > > I need to install scores of packages on this VM before it can be used > for my work in software testing and development. I believe the suggested solution requires download of sources and most likely has not much (if anything) to do with pkg. -- cheers phansi
Re: Problems with sites using Let's Encrypt certificates
Antonio reports about the certificate verification problem for the DragonFlyBSD package system: >> There is a fix already available, please check: >> >> https://lists.dragonflybsd.org/pipermail/users/2021-October/404826.html I saw that response when it was originally posted, but I have a newly installed VM with no working package system, and no interest in building kernels or anything else on DragonFlyBSD from remote source code repositories. What does >> Only a 'world' upgrade is needed, please proceed with the usual >> procedure mean in my context? The phrase "world" does not exist in the output of "man pkg". I need to install scores of packages on this VM before it can be used for my work in software testing and development. --- - Nelson H. F. BeebeTel: +1 801 581 5254 - - University of UtahFAX: +1 801 581 4148 - - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu - - 155 S 1400 E RM 233 be...@acm.org be...@computer.org - - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ - ---
Re: Problems with sites using Let's Encrypt certificates
There is a fix already available, please check: https://lists.dragonflybsd.org/pipermail/users/2021-October/404826.html Quoting Phansi : Yes, just checked, I have a similar error on pkg update #pkg update Updating Avalon repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34368467136:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:/usr/src/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1138: pkg: https://mirror-master.dragonflybsd.org/dports/dragonfly:6.0:x86:64/LATEST/packagesite.txz: Authentication error Unable to update repository Avalon Error updating repositories And I am an idiot, should not have done that! Repo deleted it looks like. Oh well. #pkg search pkg pkg: Repository Avalon missing. 'pkg update' required On Wed, 6 Oct 2021 08:28:31 -0600 "Nelson H. F. Beebe" wrote: Earlier this week, it was reported that the expired Let's Encrypt certificate problem has been resolved. However, on two DragonFlyBSD 6.0 VMs at my site, one created from an RC1 ISO image, and the other more recently from the official ISO image dfly-x86_64-6.0.0_REL.iso dated 7-May-2021, I still get certificate verification failures. For the new VM, this means I cannot even install the pkg command: # pkg install pkg Updating Avalon repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 ... Can other list readers confirm whether they too still have similar problems? Some pkg systems on Linux have ways to temporarily disable certificate checking, but I could not spot a similar option in the DragonFlyBSD pkg command collection. Advice welcome! --- - Nelson H. F. BeebeTel: +1 801 581 5254 - - University of UtahFAX: +1 801 581 4148 - - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu - - 155 S 1400 E RM 233 be...@acm.org be...@computer.org - - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ - --- -- cheers phansi
Re: Problems with sites using Let's Encrypt certificates
Yes, just checked, I have a similar error on pkg update #pkg update Updating Avalon repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34368467136:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:/usr/src/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1138: pkg: https://mirror-master.dragonflybsd.org/dports/dragonfly:6.0:x86:64/LATEST/packagesite.txz: Authentication error Unable to update repository Avalon Error updating repositories And I am an idiot, should not have done that! Repo deleted it looks like. Oh well. #pkg search pkg pkg: Repository Avalon missing. 'pkg update' required On Wed, 6 Oct 2021 08:28:31 -0600 "Nelson H. F. Beebe" wrote: > Earlier this week, it was reported that the expired Let's Encrypt > certificate problem has been resolved. > > However, on two DragonFlyBSD 6.0 VMs at my site, one created from an > RC1 ISO image, and the other more recently from the official ISO image > dfly-x86_64-6.0.0_REL.iso dated 7-May-2021, I still get certificate > verification failures. > > For the new VM, this means I cannot even install the pkg command: > > # pkg install pkg > Updating Avalon repository catalogue... > Certificate verification failed for /O=Digital Signature Trust > Co./CN=DST Root CA X3 > ... > > Can other list readers confirm whether they too still have similar > problems? > > Some pkg systems on Linux have ways to temporarily disable certificate > checking, but I could not spot a similar option in the DragonFlyBSD > pkg command collection. > > Advice welcome! > > > --- > - Nelson H. F. BeebeTel: +1 801 581 5254 > - > - University of UtahFAX: +1 801 581 4148 > - > - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu > - > - 155 S 1400 E RM 233 be...@acm.org be...@computer.org > - > - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ > - > --- -- cheers phansi
Re: Problems with sites using Let's Encrypt certificates
Earlier this week, it was reported that the expired Let's Encrypt certificate problem has been resolved. However, on two DragonFlyBSD 6.0 VMs at my site, one created from an RC1 ISO image, and the other more recently from the official ISO image dfly-x86_64-6.0.0_REL.iso dated 7-May-2021, I still get certificate verification failures. For the new VM, this means I cannot even install the pkg command: # pkg install pkg Updating Avalon repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 ... Can other list readers confirm whether they too still have similar problems? Some pkg systems on Linux have ways to temporarily disable certificate checking, but I could not spot a similar option in the DragonFlyBSD pkg command collection. Advice welcome! --- - Nelson H. F. BeebeTel: +1 801 581 5254 - - University of UtahFAX: +1 801 581 4148 - - Department of Mathematics, 110 LCBInternet e-mail: be...@math.utah.edu - - 155 S 1400 E RM 233 be...@acm.org be...@computer.org - - Salt Lake City, UT 84112-0090, USAURL: http://www.math.utah.edu/~beebe/ - ---
Re: Problems with sites using Let's Encrypt certificates
Hi, For "world upgrade" is the following correct? Actually this is what I did and it worked. I couldn't find a definite description of the process. ```bash cd/usr make src-update cd/usr/src # Check the branch: # git branch -r # Do the checkout if needed: # git checkout DragonFly_whatever_release # Note: I've had buildworld already before make quickworld make installworld # Finished, no need for reboot. # Note: the following produced errors: # make -j$(sysctl -n hw.ncpu) installworld ``` Regards, Balázs On 10/1/21 10:32 AM, Antonio Huete Jiménez wrote: > A fix is now available in branches: master, DragonFly_RELEASE_6_0 and > DragonFly_RELEASE_5_8. > > Only a 'world' upgrade is needed, please proceed with the usual > procedure. > > - The DragonFly BSD team > > > Quoting Antonio Huete Jiménez : > >> Dear users, >> >> As you may be already aware, a Let's Encrypt root CA certificate >> expired today. That is causing problems with our base LibreSSL but >> not with the DPorts one, we don't know why yet. >> You might see an error similar to this one when doing any pkg operation: >> >> Certificate verification failed for /O=Digital Signature Trust >> Co./CN=DST Root CA X3 >> Certificate verification failed for /O=Digital Signature Trust >> Co./CN=DST Root CA X3 >> Certificate verification failed for /O=Digital Signature Trust >> Co./CN=DST Root CA X3 >> Certificate verification failed for /O=Digital Signature Trust >> Co./CN=DST Root CA X3 >> Certificate verification failed for /O=Digital Signature Trust >> Co./CN=DST Root CA X3 >> 34380633924:error:14007086:SSL routines:CONNECT_CR_CERT:certificate >> verify >> failed:/home/antonioh/s/dragonfly/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1138: >> fetch: >> https://mirror-eu-1.dragonflybsd.org/dports/dragonfly:6.0:x86:64/LATEST/packagesite.txz: >> Authentication error >> >> We are working on it already, will update this thread once it's fixed. >> >> - The DragonFly BSD team > > > OpenPGP_0xC6991810B203B247.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Problems with sites using Let's Encrypt certificates
A fix is now available in branches: master, DragonFly_RELEASE_6_0 and DragonFly_RELEASE_5_8. Only a 'world' upgrade is needed, please proceed with the usual procedure. - The DragonFly BSD team Quoting Antonio Huete Jiménez : Dear users, As you may be already aware, a Let's Encrypt root CA certificate expired today. That is causing problems with our base LibreSSL but not with the DPorts one, we don't know why yet. You might see an error similar to this one when doing any pkg operation: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34380633924:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:/home/antonioh/s/dragonfly/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1138: fetch: https://mirror-eu-1.dragonflybsd.org/dports/dragonfly:6.0:x86:64/LATEST/packagesite.txz: Authentication error We are working on it already, will update this thread once it's fixed. - The DragonFly BSD team
Problems with sites using Let's Encrypt certificates
Dear users, As you may be already aware, a Let's Encrypt root CA certificate expired today. That is causing problems with our base LibreSSL but not with the DPorts one, we don't know why yet. You might see an error similar to this one when doing any pkg operation: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34380633924:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:/home/antonioh/s/dragonfly/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1138: fetch: https://mirror-eu-1.dragonflybsd.org/dports/dragonfly:6.0:x86:64/LATEST/packagesite.txz: Authentication error We are working on it already, will update this thread once it's fixed. - The DragonFly BSD team
