Re: cryptic pkgin SSL cert error
On Tue, 23 Apr 2024 at 15:24, Martin Husemann wrote: > > On Tue, Apr 23, 2024 at 03:17:14PM +0100, David Brownlee wrote: > > However, while better checking of trust anchors is a better end state > > - assuming I am understanding the situation correctly: in an > > effectively unannounced change, pkgin on a -9 system without either > > security/mozilla-rootcerts-openssl installed or /etc/openssl will now > > just fail, including any attempt to install mozilla-rootcerts-openssl > > to resolve. > > Only if the binary pkgs repository URL was using https. > Default setup used to be http: Aha, thanks! - that would be the item of information I lacked :) > > This requires manual intervention to set an environment variable to > > allow mozilla-rootcerts-openssl to be installed, or otherwise setup > > /etc/openssl. That would appear to be an unhelpful change, to the > > extent that I would propose pkgin on netbsd < 10 might be better to > > default to disabling checking trust anchors (with a warning). > > Edit the URL, install mozilla-rootcerts-openssl, change the URL back. I would still classify it as unhelpful, but if it is only affecting users who have changed their setup from the recommended, then it is more of a "it would be good to see if there is a was to help them" rather than an "oops!!" :-p I also appreciate the amount of bikeshedding and general pulling at different angles it took to get to where we are with it working well on -10... so as long as the default & recommended pkgin install on < netbsd-10 is for http rather than https, I'm inclined to leave well enough alone Thanks David
Re: cryptic pkgin SSL cert error
On Tue, Apr 23, 2024 at 03:17:14PM +0100, David Brownlee wrote: > However, while better checking of trust anchors is a better end state > - assuming I am understanding the situation correctly: in an > effectively unannounced change, pkgin on a -9 system without either > security/mozilla-rootcerts-openssl installed or /etc/openssl will now > just fail, including any attempt to install mozilla-rootcerts-openssl > to resolve. Only if the binary pkgs repository URL was using https. Default setup used to be http: > This requires manual intervention to set an environment variable to > allow mozilla-rootcerts-openssl to be installed, or otherwise setup > /etc/openssl. That would appear to be an unhelpful change, to the > extent that I would propose pkgin on netbsd < 10 might be better to > default to disabling checking trust anchors (with a warning). Edit the URL, install mozilla-rootcerts-openssl, change the URL back. Martin
Re: cryptic pkgin SSL cert error
On Tue, 23 Apr 2024 at 12:45, Greg Troxel wrote: > > David Brownlee writes: > > > Do you have security/mozilla-rootcerts-openssl installed? (which > > should provide a full set of certs in /etc/openssl). Alternatively > > what do you have in /etc/openssl > > > > For netbsd-10 /etc/openssl is populated by the OS, but doing that > > would be a breaking change on netbsd-9, however it may be that the > > latest pkgin is enforcing SSL certificates by default on netbsd-9 > > which would be... unhelpful in this case > > I don't see it as uhelpful -- doctrine has always been that the sysadmin > should choose which CAs to configure as trust anchors. In 10, that's > still more or less doctrine, except the default set is mozilla (or ish) > rather than the empty set. If you haven't set up trust anchors, lots of > things are troubled. For -10, or systems which ship with trust anchors in /etc/openssl or equivalent I would agree the changed behaviour is an absolute improvement. However, while better checking of trust anchors is a better end state - assuming I am understanding the situation correctly: in an effectively unannounced change, pkgin on a -9 system without either security/mozilla-rootcerts-openssl installed or /etc/openssl will now just fail, including any attempt to install mozilla-rootcerts-openssl to resolve. This requires manual intervention to set an environment variable to allow mozilla-rootcerts-openssl to be installed, or otherwise setup /etc/openssl. That would appear to be an unhelpful change, to the extent that I would propose pkgin on netbsd < 10 might be better to default to disabling checking trust anchors (with a warning). If I have misunderstood the situation - my apologies. David
Re: cryptic pkgin SSL cert error
David Brownlee wrote: > On Tue, 23 Apr 2024 at 02:27, beaker wrote: > > I have a 9.3/i386 VM on which I recently ran > > $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove > > > > which worked but subsequent attempts to use pkgin report the following > > error: > > > > -- > > $ sudo pkgin update > > cleaning database from > > http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries... > > reading local summary... > > processing local summary... > > processing remote summary > > (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)... > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > 3061459968:error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify > > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > > pkgin: Could not fetch > > https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: > > Authentication error > > -- > > > > A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so > > it only uses http not https but I'd really rather not do that going > > forward so I'm looking for some guidance on how to fix wahatever > > is causing this SSL certificate verification error. > > > > System info: > > $ pkgin -v > > pkgin 23.8.1 (using SQLite 3.26.0) > > $ uname -a |cut -d' ' -f4-12 > > NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC > > $ uname -m > > i386 > > Do you have security/mozilla-rootcerts-openssl installed? (which > should provide a full set of certs in /etc/openssl). Alternatively > what do you have in /etc/openssl > > For netbsd-10 /etc/openssl is populated by the OS, but doing that > would be a breaking change on netbsd-9, however it may be that the > latest pkgin is enforcing SSL certificates by default on netbsd-9 > which would be... unhelpful in this case Thanks, installing the mozilla-rootcerts-openssl pkg then re-editing ../pkgin/repositories.conf to use "https" worked. You're probably right about this being sort of a transitory issue mostly affecting 9.x, I just hadn't encountered it before and I've a handful of 9.x systems. Probably the forementioned rootcert pkg is already present on those. -B
Re: cryptic pkgin SSL cert error
David Brownlee writes: > Do you have security/mozilla-rootcerts-openssl installed? (which > should provide a full set of certs in /etc/openssl). Alternatively > what do you have in /etc/openssl > > For netbsd-10 /etc/openssl is populated by the OS, but doing that > would be a breaking change on netbsd-9, however it may be that the > latest pkgin is enforcing SSL certificates by default on netbsd-9 > which would be... unhelpful in this case I don't see it as uhelpful -- doctrine has always been that the sysadmin should choose which CAs to configure as trust anchors. In 10, that's still more or less doctrine, except the default set is mozilla (or ish) rather than the empty set. If you haven't set up trust anchors, lots of things are troubled.
Re: cryptic pkgin SSL cert error
On Tue, 23 Apr 2024 at 02:27, beaker wrote: > > Hello, > > I have a 9.3/i386 VM on which I recently ran > $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove > > which worked but subsequent attempts to use pkgin report the following error: > > -- > $ sudo pkgin update > cleaning database from > http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries... > reading local summary... > processing local summary... > processing remote summary > (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)... > 3061459968:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > 3061459968:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > 3061459968:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: > pkgin: Could not fetch > https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: > Authentication error > -- > > A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so > it only uses http not https but I'd really rather not do that going > forward so I'm looking for some guidance on how to fix wahatever > is causing this SSL certificate verification error. > > System info: > $ pkgin -v > pkgin 23.8.1 (using SQLite 3.26.0) > $ uname -a |cut -d' ' -f4-12 > NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC > $ uname -m > i386 Do you have security/mozilla-rootcerts-openssl installed? (which should provide a full set of certs in /etc/openssl). Alternatively what do you have in /etc/openssl For netbsd-10 /etc/openssl is populated by the OS, but doing that would be a breaking change on netbsd-9, however it may be that the latest pkgin is enforcing SSL certificates by default on netbsd-9 which would be... unhelpful in this case David
cryptic pkgin SSL cert error
Hello, I have a 9.3/i386 VM on which I recently ran $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove which worked but subsequent attempts to use pkgin report the following error: -- $ sudo pkgin update cleaning database from http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries... reading local summary... processing local summary... processing remote summary (https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)... 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: 3061459968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921: pkgin: Could not fetch https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: Authentication error -- A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so it only uses http not https but I'd really rather not do that going forward so I'm looking for some guidance on how to fix wahatever is causing this SSL certificate verification error. System info: $ pkgin -v pkgin 23.8.1 (using SQLite 3.26.0) $ uname -a |cut -d' ' -f4-12 NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC $ uname -m i386