From nobody Mon Dec 13 14:31:40 2021
X-Original-To: pkg@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 62EE818DB951;
	Mon, 13 Dec 2021 14:31:51 +0000 (UTC)
	(envelope-from tech-lists@zyxst.net)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JCP8k4FmGz3N1p;
	Mon, 13 Dec 2021 14:31:50 +0000 (UTC)
	(envelope-from tech-lists@zyxst.net)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.west.internal (Postfix) with ESMTP id 69A7A3201061;
	Mon, 13 Dec 2021 09:31:43 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute1.internal (MEProxy); Mon, 13 Dec 2021 09:31:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h=
	date:from:to:cc:subject:message-id:mime-version:content-type; s=
	fm1; bh=CFE1nimwkFgUswv9aUDZykywy+P56W/2ZYQRNs7eVCM=; b=pnJcrhkb
	785HFUN2R4gUlkyHXHnoN1m83NNqosOrQOSA/7Zc70puEj/7FtHaHuOShizI03W/
	2QY2xfSQDpAYn05IrzZ4o5f57FUfxIvIxd/zTlPQ0r9ExYaDC6J399HmWQ8gw/B4
	Hu2pNUksUnIVgw5IPcOEZJ5EvfbEc18J/xgZGsxIoUJQBZ/WVr7eBoqC2xXxQGve
	z7T0aUw3yO+GU2lUW3HXTeA2dCtp4Pp3iW6rR85JkEvuyFq2SEFGhmjKjZh0iGIB
	kp8XZ+Tz0eWX1wwoj7Z9Og94FZTtdsf4bF+VGQZCrnD6mBIpS4bu8OFGmQHAeJC/
	ofahxTZgcrGb4g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:message-id
	:mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; bh=CFE1nimwkFgUswv9aUDZykywy+P56
	W/2ZYQRNs7eVCM=; b=SYzzF7IOWCuf3v8nlp0uvGT2u4Bur8aisdchFvVI7TQ7q
	G9qksmlFcFk57+cHjpqCugj9FsJGZrsHgO9F/7GgdxtufjfkdiGMN9MSYw132X64
	gUKQd/tESSt6AM8gwccn5hz/zcdVUCasB4O/h8QCApRyG93VidwApgjfAjA+6iat
	PKjnaQ7V2EQlq9fvE8sgNTOqt40c6633xnFo+faIMfXYLAloYH081m0xb8IUR7Gm
	OqU1CAgKZ3MBOGJFaBUWPf5Lj+U4EC9/EUVWXXaxvyWyWe3aCDt8w0hNeOFD/yCq
	LGq4kND4k1LwCVNZZLsJOoWDgnv0kMgp4CKHfmnUw==
X-ME-Sender: <xms:Tlm3YT-tA9OLtEIDvKU42uPZ7LivjIbGOrSmtN20QgQww9mHLBrV3A>
    <xme:Tlm3Yft5QcbMU22B7OiUtyUAcGFuhF8cBEvZgK8cm0w3MC3HUQXEe0OZ8UgiooPSG
    8R6iHEb4ZB7bUdxXQ>
X-ME-Received: <xmr:Tlm3YRDKPFI03H_4JkUIUwQINuC87B6cxU6-tHE8B0bkCFMchnJpyUIq9gJ-lc557SB4kqafIpCS>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrkeekgdeiiecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderredttd
    dvnecuhfhrohhmpehtvggthhdqlhhishhtshcuoehtvggthhdqlhhishhtshesiiihgihs
    thdrnhgvtheqnecuggftrfgrthhtvghrnhepkeelheefgfdvtefgfeelgfdvkeeuveevke
    fgtdegveehuefgkeevieejlefggeegnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhg
    necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepthgvtg
    hhqdhlihhsthhsseiihiigshhtrdhnvght
X-ME-Proxy: <xmx:Tlm3YffUDw355c2bTrt0L8AgKUXn42qOBlHjLETN-KSEP1ju8xInlA>
    <xmx:Tlm3YYNbC4tpl1wJiP5quYCCS-DuJYffd2lIUbLBNd_ylMqHnJt8gQ>
    <xmx:Tlm3YRlFuN9MpMpvaKyaffNPc8Q7USn1MYC96FXaDGS3tzDPgRYYUg>
    <xmx:Tlm3YTbRPi-43k1EX3qCN77U_LFCwtA6wYaG7h6Ia02Abbkr9VC9Og>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 13 Dec 2021 09:31:42 -0500 (EST)
Date: Mon, 13 Dec 2021 14:31:40 +0000
From: tech-lists <tech-lists@zyxst.net>
To: freebsd-questions@freebsd.org
Cc: pkg@freebsd.org
Subject: ssl errors with pkg.freebsd.org and recent stable/13 and
 poudriere-devel (amd64)
Message-ID: <YbdZTOF5SrZQzSbU@ceres.zyxst.net>
Mail-Followup-To: freebsd-questions@freebsd.org, pkg@freebsd.org
List-Id: Binary package management and package tools discussion <freebsd-pkg.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pkg
List-Help: <mailto:freebsd-pkg+help@freebsd.org>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Subscribe: <mailto:freebsd-pkg+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-pkg+unsubscribe@freebsd.org>
Sender: owner-freebsd-pkg@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="DCvqdQlYoD+4OTNA"
Content-Disposition: inline
X-Rspamd-Queue-Id: 4JCP8k4FmGz3N1p
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=zyxst.net header.s=fm1 header.b=pnJcrhkb;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.b=SYzzF7IO;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy when checking 64.147.123.21) smtp.mailfrom=tech-lists@zyxst.net
X-Spamd-Result: default: False [-6.50 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm1,messagingengine.com:s=fm1];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.21:from];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 TO_DN_NONE(0.00)[];
	 DMARC_NA(0.00)[zyxst.net];
	 DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	 RCVD_COUNT_THREE(0.00)[4];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 SIGNED_PGP(-2.00)[];
	 R_SPF_NA(0.00)[no SPF record];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	 RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.21:from]
X-ThisMailContainsUnwantedMimeParts: N


--DCvqdQlYoD+4OTNA
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

(not quite sure where this should go, hence Cc: to pkg@)

context:

stable/13-n248258-2b890871f7d, built Nov 29th
ca_root_nss-3.71

% uname -mKU
amd64 1300522 1300522

poudriere-devel-3.3.99.20211130 using the following in poudriere.conf:

[...]
# Set to always attempt to fetch packages or dependencies before building.
# XXX: This is subject to change
# Default: off; requires -b <branch> for bulk or testport.
PACKAGE_FETCH_BRANCH=3Dlatest

# The branch will be appended to the URL:
PACKAGE_FETCH_URL=3Dpkg+https://pkg.FreeBSD.org/\${ABI}

# Packages which should never be fetched.  This is useful for ports that
# you have local patches for as otherwise the patches would be ignored if
# a remote package is used instead.
#PACKAGE_FETCH_BLACKLIST=3D""

# Alternatively a whitelist can be created to only allow specific packages =
to
# be fetched.
# Default: everything
PACKAGE_FETCH_WHITELIST=3D"gcc* rust* llvm* ghc* hs* qt5-webe* texlive*"
[ends]

I see the following output from poudriere when it tries to connect to=20
https://pkg.freebsd.org :

[...]
[00:02:01] Calculating ports order and dependencies
[00:02:14] Trimming IGNORED and blacklisted ports
[00:02:14] Ignoring security/gputty | gputty-0.9.10: is marked as broken: U=
nfetchable
[00:02:15] Package fetch: Looking for missing packages to fetch from pkg+ht=
tps://pkg.FreeBSD.org/${ABI}/latest
Updating FreeBSD repository catalogue...
Certificate verification failed for /CN=3Dpkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:cert=
ificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=3Dpkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:cert=
ificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=3Dpkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:cert=
ificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
[...]

eventually this happens:

[...]
Unable to update repository FreeBSD
Error updating repositories!
[00:02:37] Cleaning up
[00:02:41] Unmounting file systems
[...]

By default, in poudriere.conf, this line:

PACKAGE_FETCH_URL=3Dpkg+https://pkg.FreeBSD.org/\${ABI}

is htt*p* not https.

I can work around the problem by changing it back to http. But the exact sa=
me=20
config (apart from the http being https) on a -current system=20
(main-n251261-25d0ccbe101 built Dec 2nd), works. Why doesn't it work on rec=
ent=20
stable/13?

fetch works for https:
% fetch https://pkg.freebsd.org/FreeBSD:13:amd64/latest/packagesite.pkg
packagesite.pkg                                       6554 kB 2906 kBps    =
02s

% fetch https://pkg.freebsd.org/FreeBSD:13:amd64/latest/packagesite.txz
packagesite.txz                                       6554 kB 3906 kBps    =
01s

I rebuilt ca_root_nss and poudriere-devel from a ports tree updated=20
today Mon Dec 13 12:20:14 n568073 =20

poudriere-devel options:

Options        :
         BASH           : on
         CERTS          : on
         DIALOG4PORTS   : on
         EXAMPLES       : on
         QEMU           : on
         ZSH            : on
         Annotations    :
         FreeBSD_version: 1300522

thanks,
--=20
J.

--DCvqdQlYoD+4OTNA
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmG3WUAACgkQs8o7QhFz
NAX63A//bTwDxXA5coDP5DoQB5t/gwNPEkZ07HPHWblUq8947/8uqOKaCKgm0X35
ymXNTuF4K28G2BULBM8OIdPBR8Aij4/aUawfTBpFynY3OkCpsxoJnRmPvf156Vqi
wmTG8L4cZa+Tfm/CFTdl33t12KprbytgEf7BRdOjxF58ZHafQlbesx/WAnbKW4tK
b8oYPExDyasYrQ6nUuIdO5DKa3tm4Om8fnM/2/1r7YE2K5Ps4RFyOtSUOZ7bBqp6
Gp+tTZ0lgXBSHaYpc0ZvqO6M4by8x7HibZjlLHVoQBAopQn0IQ9e1Yojg/NFa0aq
k6vqDrdGuVf24MbVs9wnA7QZymAJduRfbq0/dVcb+vlLmr6R35kEvHfz7CAIB+Mv
lh9+ZhFVNQ9iyYlw4hs8ROsbiOEjWQeJnIlj/uosi9oeDrIVqIb8Y6eTUUtlsgcH
cKOg7MH38HivL7WLURXPXeFGlj4j9tmsK06rbF8STBwnp9IsWLQ8ib6uoewUu8tU
AXqnHLYKAl6KpGqRv1R2JCkHhzLUyroAmcmpRSxRp+ibkBrxNzY/OjRw7NPAhrYx
qXDZXNR3SjhFApGA9PUGK2SV9nmzBguwXS+DJDwsni1znkmdAaSQ0bl39F+y3OO5
NvIoW1nku7dj6BK3h8JJEAkpM5OTVaWuAsYqlP+8MIy2iZdDdw4=
=uIKZ
-----END PGP SIGNATURE-----

--DCvqdQlYoD+4OTNA--