Something does not add up here. High Sierra is older than Mojave, right? I can fetch sources of nsd on High Sierra without any problems:
$ sudo port -d fetch nsd DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to /opt/local/var/macports/home/Library/Preferences DEBUG: Changing to port directory: /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386 DEBUG: adding the default universal variant DEBUG: Reading variant descriptions from /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies DEBUG: Finished running callback portconfigure::add_automatic_compiler_dependencies DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies DEBUG: Finished running callback portbuild::add_automatic_buildsystem_dependencies DEBUG: Running callback portstartupitem::add_notes DEBUG: Finished running callback portstartupitem::add_notes DEBUG: Attempting ln -sf /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work DEBUG: dropping privileges: euid changed to 504, egid changed to 20. DEBUG: Starting logging for nsd @4.2.1_2 DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386 DEBUG: MacPorts 2.7.1 DEBUG: Xcode 9.4.1 DEBUG: SDK 10.13 DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13 DEBUG: Executing org.macports.main (nsd) DEBUG: dropping privileges: euid changed to 504, egid changed to 20. DEBUG: fetch phase started at Sat Nov 6 19:00:42 PDT 2021 ---> Fetching distfiles for nsd DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0. DEBUG: dropping privileges: euid changed to 504, egid changed to 20. DEBUG: Executing org.macports.fetch (nsd) ---> nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd ---> Attempting to fetch nsd-4.2.1.tar.gz from http://distfiles.macports.org/nsd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1118k 100 1118k 0 0 3557k 0 --:--:-- --:--:-- --:--:-- 3563k $ ls -l /opt/local/var/macports/distfiles/nsd total 2240 -rw-r--r-- 1 macports wheel 1145713 Nov 6 19:00 nsd-4.2.1.tar.gz I have MacPorts installed from a package, I did not build it, so it is pretty much standard. Neither I did anything to the system certificate chain. > On Nov 6, 2021, at 5:43 AM, Ryan Schmidt <ryandes...@macports.org> wrote: > > > > On Nov 6, 2021, at 05:39, Gerben Wierda wrote: > >> I was looking at updating nsd (for which I am maintaining and it is high >> time) >> >> But fetching failed on macOS Mojave (where I have my MacPorts setup). >> >> :debug:fetch Executing org.macports.fetch (nsd) >> :info:fetch ---> nsd-4.3.8.tar.gz does not exist in >> /opt/local/var/macports/distfiles/nsd >> :notice:fetch ---> Attempting to fetch nsd-4.3.8.tar.gz from >> https://www.nlnetlabs.nl/downloads/nsd/ >> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate >> has expired >> >> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is >> the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port >> fetch on Catalina, and there it works and the distribution is downloaded. >> >> It is strange, though, because Safari on both Catalina (other machine) and >> Mojave say the cert is fine. Still, it is most likely that this is a problem >> that comes from still using Mojave. >> >> Updating that machine will not happen until late December, so if I am to >> maintain anything MacPorts, I need a fix to get this working again. >> >> I have tried using curl on the Mojave machine, and that one works. >> >> So, Safari works, curl works, but port does not work. >> >> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that >> doesn’t work either. > > This is the "Let's Encrypt's old root certificate expired" problem described > here: > > https://trac.macports.org/wiki/ProblemHotlist#letsencrypt > > When you said "curl works but port does not work" that's not quite right. > /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and > /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not > work for Let's Encrypt-protected sites anymore. > > I, on High Sierra, have the same issue, and I have no solution for you. This > issue affects High Sierra and Mojave. I recommend upgrading to Catalina or > later; I plan to eventually. > > Well, you could rebuild MacPorts from source, instructing it to use a newer > copy of libcurl with a newer copy of openssl or libressl that has a newer > certificate bundle. For example, install a bootstrap copy of MacPorts in a > separate prefix, install curl in that prefix, then rebuild your primary > MacPorts from source, telling it to use the libcurl in the separate prefix. > Any future upgrades to MacPorts base probably also have to be done from > source; using "sudo port selfupdate" will not preserve your configure > arguments and you'll be back to using the System's broken libcurl again.
