On 2025-11-07, Chris Bennett <[email protected]> wrote: > I see this in the mail for package errors: > https://ftp.openbsd.org/pub/OpenBSD/7.8/packages/amd64/apache-httpd-2.4.65p0.tgz: > TLS handshake failure: handshake failed: error:02FFF00D:system > library:func(4095):Permission denied
unclear whether "Permission denied" (EACCES) might be network related (PF blocking) or file related (sadly since 6.0 the error code does not give a way to distinguish between the two). given the context I'd say PF is more likely though it's more subtle than usual because it did already connect, as it got as far as trying to handshake. output from ktrace might give more clues, maybe this will include enough: $ ktrace ftp https://ftp.openbsd.org/pub/OpenBSD/7.8/packages/amd64/apache-httpd-2.4.65p0.tgz $ kdump | grep -50 errno.13 > In Apache logs for the one site I run there I get some similar error > messages like: > [Thu Nov 06 22:04:00.320170 2025] [ssl:info] [pid 46160] AH01926: > stapling_get_certinfo: stapling not supported for certificate letsencrypt stopped using OCSP. most people were not using stapling and in those cases, any clients checking OCSP were going to the CAs OCSP responder to check revocation (necessarily sending the domain name to the CA's responder, making them a target for anyone wanting to monitor who is accessing which website, which letsencrypt consider an unacceptable risk). so you need to remove your OCSP config. > https://acme-staging-v02.api.letsencrypt.org/acme/authz/240814713/20083278633 staging only issues test certificates which are not trusted by browsers. and it's not going to help you with OCSP anyway. can you get serial console setup on that machine? BMCs from that era are particularly sucky. (please tell me it's not exposed directly to the internet). -- Please keep replies on the mailing list.
