On Fri, Nov 07, 2025 at 10:40:13AM +0000, Stuart Henderson wrote: > On 2025-11-07, Chris Bennett <[email protected]> wrote: > > I see this in the mail for package errors: > > https://ftp.openbsd.org/pub/OpenBSD/7.8/packages/amd64/apache-httpd-2.4.65p0.tgz: > > TLS handshake failure: handshake failed: error:02FFF00D:system > > library:func(4095):Permission denied > > unclear whether "Permission denied" (EACCES) might be network related > (PF blocking) or file related (sadly since 6.0 the error code does not > give a way to distinguish between the two). given the context I'd say > PF is more likely though it's more subtle than usual because it did > already connect, as it got as far as trying to handshake. > > output from ktrace might give more clues, maybe this will include > enough: > > $ ktrace ftp > https://ftp.openbsd.org/pub/OpenBSD/7.8/packages/amd64/apache-httpd-2.4.65p0.tgz > $ kdump | grep -50 errno.13 > > > In Apache logs for the one site I run there I get some similar error > > messages like: > > [Thu Nov 06 22:04:00.320170 2025] [ssl:info] [pid 46160] AH01926: > > stapling_get_certinfo: stapling not supported for certificate > > letsencrypt stopped using OCSP. most people were not using stapling and > in those cases, any clients checking OCSP were going to the CAs OCSP > responder to check revocation (necessarily sending the domain name to > the CA's responder, making them a target for anyone wanting to monitor > who is accessing which website, which letsencrypt consider an > unacceptable risk). > > so you need to remove your OCSP config. > > > https://acme-staging-v02.api.letsencrypt.org/acme/authz/240814713/20083278633 > > staging only issues test certificates which are not trusted by browsers. > and it's not going to help you with OCSP anyway. > > can you get serial console setup on that machine? BMCs from that era > are particularly sucky. (please tell me it's not exposed directly to > the internet). >
I did not get anything useful from ktrace. I think that PF is the most likely problem also. I had to block as much as I could when I finally managed to get access. I made a mistake in my smtpd.conf a while back. I put a regex in the wrong order. Bad things happened. Yes it's on the internet directly. I've had this one for years because it's dirt cheap and has a lot of IP addresses. I have some rather bad health problems and I didn't catch my mistake for a long time because it took many months to show up. I fixed the problem in smtpd.conf months ago, but since I have no direct access, I was sloppy with blocking in PF. I had only a few minutes to do it. This stupid govt shutdown has hit me hard. I only had a few hours to move everything over from the other server which I can't afford anymore. -- Regards, Chris Bennett
