Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.

From: Koichiro Iwao <meta_at_freebsd.org>
Date: Sat, 07 Oct 2023 19:56:43 UTC
On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote:
> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Smørgrav wrote:
> > Koichiro Iwao <meta@freebsd.org> writes:
> > > % LANG=C wget -O - https://www.freebsd.org
> > > --2023-10-07 19:50:58--  https://www.freebsd.org/
> > > Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ...
> > > Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
> > > ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
> > >   Unable to locally verify the issuer's authority.
> > > To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
> > 
> > I'm unable to reproduce this on 13.2.  Running wget under ktrace shows
> > that although it first looks for the nonexistent bundle, it correctly
> > falls back to the system trust store.

Regarding wget, it was an issue with security/openssl.

I'm using openssl from ports:
> DEFAULT_VERSIONS+=      ssl=openssl

As far as I tried debugging with ktrace, security/openssl doesn't
fallback to /etc/ssl/certs directory.

% LANG=C ktrace wget -O /dev/null https://www.freebsd.org/
--2023-10-08 04:32:45--  https://www.freebsd.org/
Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 210.231.212.93, ...
Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Unable to locally verify the issuer's authority.
To connect to www.freebsd.org insecurely, use `--no-check-certificate'.

% kdump -tn |grep -e "/etc" -e "certs"
 28088 wget     NAMI  "/etc/libmap.conf"
 28088 wget     NAMI  "/usr/local/etc/libmap.d"
 28088 wget     NAMI  "/usr/local/etc/libmap.d/mesa.conf"
 28088 wget     NAMI  "/etc/malloc.conf"
 28088 wget     NAMI  "/usr/local/etc/wgetrc"
 28088 wget     NAMI  "/usr/local/etc/wgetrc"
 28088 wget     NAMI  "/etc/localtime"
 28088 wget     NAMI  "/etc/nsswitch.conf"
 28088 wget     NAMI  "/etc/nsswitch.conf"
 28088 wget     NAMI  "/etc/hosts"
 28088 wget     NAMI  "/etc/resolv.conf"
 28088 wget     NAMI  "/usr/local/openssl/certs/8d33f237.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/4042bcee.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
 28088 wget     NAMI  "/usr/local/openssl/certs/bfabe37b.0"

% ls -l /usr/local/openssl/certs
(empty)

# rmdir /usr/local/openssl/certs
# ln -s /etc/ssl/certs /usr/local/openssl

So I replaced /usr/local/openssl/certs directory with a symlink to
/etc/ssl/certs directory. The workaround worked perfectly.

The security/openssl port might need some adjustment. After ca_root_nss
quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should
be added to the search path. Otherwise, openssl port cannot find root
certificates installed by ca_root_nss.

-- 
meta <meta@FreeBSD.org>