Actually it was more about curl, using that as a reference point to see if it was behaving differently with certificates based on user.
André-John Sent from my phone. Envoyé depuis mon téléphone. > On 07 Nov 2021, at 01:03, Kastus Shchuka <macpo...@tprfct.net> wrote: > > > >> On Nov 6, 2021, at 7:53 PM, André-John Mas <andrejohn....@gmail.com> wrote: >> >> Does it make a difference if you test via sudo or your own user login? >> > > Well, it won't work as regular user. Regular user does not have write > permissions to /opt/local tree. > > On the other hand, it's plain dumb why it works for me. As you can see below, > org.macports.fetch does not use HTTPS, it downloads over HTTP. Certificates > are just irrelevant for that. > > I am not sure what part of macports.conf controls protocol for fetch, I have > not modified that file since 2017. (I guess I should have done it). I looked > at the diff between my macports.conf and macports.conf.default from May 2021, > and I don't see anything with regards to http/https. I must be missing > something there. > > Thanks, > > Kastus > >> André-John >> >> Sent from my phone. Envoyé depuis mon téléphone. >> >>>> On 06 Nov 2021, at 22:08, Kastus Shchuka <macpo...@tprfct.net> wrote: >>> >>> Something does not add up here. >>> >>> High Sierra is older than Mojave, right? I can fetch sources of nsd on High >>> Sierra without any problems: >>> >>> $ sudo port -d fetch nsd >>> DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to >>> /opt/local/var/macports/home/Library/Preferences >>> DEBUG: Changing to port directory: >>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd >>> DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386 >>> DEBUG: adding the default universal variant >>> DEBUG: Reading variant descriptions from >>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf >>> DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies >>> DEBUG: Finished running callback >>> portconfigure::add_automatic_compiler_dependencies >>> DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies >>> DEBUG: Finished running callback >>> portbuild::add_automatic_buildsystem_dependencies >>> DEBUG: Running callback portstartupitem::add_notes >>> DEBUG: Finished running callback portstartupitem::add_notes >>> DEBUG: Attempting ln -sf >>> /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work >>> >>> /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work >>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20. >>> DEBUG: Starting logging for nsd @4.2.1_2 >>> DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386 >>> DEBUG: MacPorts 2.7.1 >>> DEBUG: Xcode 9.4.1 >>> DEBUG: SDK 10.13 >>> DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13 >>> DEBUG: Executing org.macports.main (nsd) >>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20. >>> DEBUG: fetch phase started at Sat Nov 6 19:00:42 PDT 2021 >>> ---> Fetching distfiles for nsd >>> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0. >>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20. >>> DEBUG: Executing org.macports.fetch (nsd) >>> ---> nsd-4.2.1.tar.gz does not exist in >>> /opt/local/var/macports/distfiles/nsd >>> ---> Attempting to fetch nsd-4.2.1.tar.gz from >>> http://distfiles.macports.org/nsd >>> % Total % Received % Xferd Average Speed Time Time Time >>> Current >>> Dload Upload Total Spent Left Speed >>> 100 1118k 100 1118k 0 0 3557k 0 --:--:-- --:--:-- --:--:-- >>> 3563k >>> $ ls -l /opt/local/var/macports/distfiles/nsd >>> total 2240 >>> -rw-r--r-- 1 macports wheel 1145713 Nov 6 19:00 nsd-4.2.1.tar.gz >>> >>> I have MacPorts installed from a package, I did not build it, so it is >>> pretty much standard. Neither I did anything to the system certificate >>> chain. >>> >>>> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt <ryandes...@macports.org> wrote: >>>> >>>> >>>> >>>>> On Nov 6, 2021, at 05:39, Gerben Wierda wrote: >>>>> >>>>> I was looking at updating nsd (for which I am maintaining and it is high >>>>> time) >>>>> >>>>> But fetching failed on macOS Mojave (where I have my MacPorts setup). >>>>> >>>>> :debug:fetch Executing org.macports.fetch (nsd) >>>>> :info:fetch ---> nsd-4.3.8.tar.gz does not exist in >>>>> /opt/local/var/macports/distfiles/nsd >>>>> :notice:fetch ---> Attempting to fetch nsd-4.3.8.tar.gz from >>>>> https://www.nlnetlabs.nl/downloads/nsd/ >>>>> :debug:fetch Fetching distfile failed: SSL certificate problem: >>>>> certificate has expired >>>>> >>>>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that >>>>> is the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a >>>>> port fetch on Catalina, and there it works and the distribution is >>>>> downloaded. >>>>> >>>>> It is strange, though, because Safari on both Catalina (other machine) >>>>> and Mojave say the cert is fine. Still, it is most likely that this is a >>>>> problem that comes from still using Mojave. >>>>> >>>>> Updating that machine will not happen until late December, so if I am to >>>>> maintain anything MacPorts, I need a fix to get this working again. >>>>> >>>>> I have tried using curl on the Mojave machine, and that one works. >>>>> >>>>> So, Safari works, curl works, but port does not work. >>>>> >>>>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that >>>>> doesn’t work either. >>>> >>>> This is the "Let's Encrypt's old root certificate expired" problem >>>> described here: >>>> >>>> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt >>>> >>>> When you said "curl works but port does not work" that's not quite right. >>>> /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl >>>> and /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) >>>> do not work for Let's Encrypt-protected sites anymore. >>>> >>>> I, on High Sierra, have the same issue, and I have no solution for you. >>>> This issue affects High Sierra and Mojave. I recommend upgrading to >>>> Catalina or later; I plan to eventually. >>>> >>>> Well, you could rebuild MacPorts from source, instructing it to use a >>>> newer copy of libcurl with a newer copy of openssl or libressl that has a >>>> newer certificate bundle. For example, install a bootstrap copy of >>>> MacPorts in a separate prefix, install curl in that prefix, then rebuild >>>> your primary MacPorts from source, telling it to use the libcurl in the >>>> separate prefix. Any future upgrades to MacPorts base probably also have >>>> to be done from source; using "sudo port selfupdate" will not preserve >>>> your configure arguments and you'll be back to using the System's broken >>>> libcurl again. >>> >