Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink.

In reply to: Koichiro Iwao : "Re: git: 483e74f44b82 - main - security/ca_root_nss: Use certctl instead of a symlink."
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Tĳl Coosemans <tijl_at_FreeBSD.org>
Date: Sun, 08 Oct 2023 19:04:38 UTC

On Sun, 8 Oct 2023 04:56:43 +0900 Koichiro Iwao <meta@freebsd.org> wrote:
> On Sat, Oct 07, 2023 at 09:03:19PM +0900, Koichiro Iwao wrote:
>> On Sat, Oct 07, 2023 at 01:58:26PM +0200, Dag-Erling Smørgrav wrote:  
>>> Koichiro Iwao <meta@freebsd.org> writes:  
>>>> % LANG=C wget -O - https://www.freebsd.org
>>>> --2023-10-07 19:50:58--  https://www.freebsd.org/
>>>> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 192.50.199.250, ...
>>>> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
>>>> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
>>>>   Unable to locally verify the issuer's authority.
>>>> To connect to www.freebsd.org insecurely, use `--no-check-certificate'.  
>>> 
>>> I'm unable to reproduce this on 13.2.  Running wget under ktrace shows
>>> that although it first looks for the nonexistent bundle, it correctly
>>> falls back to the system trust store.  
> 
> Regarding wget, it was an issue with security/openssl.
> 
> I'm using openssl from ports:
> > DEFAULT_VERSIONS+=      ssl=openssl  
> 
> As far as I tried debugging with ktrace, security/openssl doesn't
> fallback to /etc/ssl/certs directory.
> 
> % LANG=C ktrace wget -O /dev/null https://www.freebsd.org/
> --2023-10-08 04:32:45--  https://www.freebsd.org/
> Resolving www.freebsd.org (www.freebsd.org)... 2402:3d00:fb5d::50:2, 2405:f000:202:2541::50:3, 210.231.212.93, ...
> Connecting to www.freebsd.org (www.freebsd.org)|2402:3d00:fb5d::50:2|:443... connected.
> ERROR: cannot verify www.freebsd.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
>   Unable to locally verify the issuer's authority.
> To connect to www.freebsd.org insecurely, use `--no-check-certificate'.
> 
> % kdump -tn |grep -e "/etc" -e "certs"
>  28088 wget     NAMI  "/etc/libmap.conf"
>  28088 wget     NAMI  "/usr/local/etc/libmap.d"
>  28088 wget     NAMI  "/usr/local/etc/libmap.d/mesa.conf"
>  28088 wget     NAMI  "/etc/malloc.conf"
>  28088 wget     NAMI  "/usr/local/etc/wgetrc"
>  28088 wget     NAMI  "/usr/local/etc/wgetrc"
>  28088 wget     NAMI  "/etc/localtime"
>  28088 wget     NAMI  "/etc/nsswitch.conf"
>  28088 wget     NAMI  "/etc/nsswitch.conf"
>  28088 wget     NAMI  "/etc/hosts"
>  28088 wget     NAMI  "/etc/resolv.conf"
>  28088 wget     NAMI  "/usr/local/openssl/certs/8d33f237.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/4042bcee.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/2e5ac55d.0"
>  28088 wget     NAMI  "/usr/local/openssl/certs/bfabe37b.0"
> 
> % ls -l /usr/local/openssl/certs
> (empty)
> 
> # rmdir /usr/local/openssl/certs
> # ln -s /etc/ssl/certs /usr/local/openssl
> 
> So I replaced /usr/local/openssl/certs directory with a symlink to
> /etc/ssl/certs directory. The workaround worked perfectly.
> 
> The security/openssl port might need some adjustment. After ca_root_nss
> quit providing /usr/local/openssl/cert.pem symlink, /etc/ssl/certs should
> be added to the search path. Otherwise, openssl port cannot find root
> certificates installed by ca_root_nss.

There's a patch for security/openssl in
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269473