ssl errors with pkg.freebsd.org and recent stable/13 and poudriere-devel (amd64)

Reply: tech-lists : "Re: ssl errors with pkg.freebsd.org and recent stable/13 and poudriere-devel (amd64)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: tech-lists <tech-lists_at_zyxst.net>
Date: Mon, 13 Dec 2021 14:31:40 UTC
Hi,

(not quite sure where this should go, hence Cc: to pkg@)

context:

stable/13-n248258-2b890871f7d, built Nov 29th
ca_root_nss-3.71

% uname -mKU
amd64 1300522 1300522

poudriere-devel-3.3.99.20211130 using the following in poudriere.conf:

[...]
# Set to always attempt to fetch packages or dependencies before building.
# XXX: This is subject to change
# Default: off; requires -b <branch> for bulk or testport.
PACKAGE_FETCH_BRANCH=latest

# The branch will be appended to the URL:
PACKAGE_FETCH_URL=pkg+https://pkg.FreeBSD.org/\${ABI}

# Packages which should never be fetched.  This is useful for ports that
# you have local patches for as otherwise the patches would be ignored if
# a remote package is used instead.
#PACKAGE_FETCH_BLACKLIST=""

# Alternatively a whitelist can be created to only allow specific packages to
# be fetched.
# Default: everything
PACKAGE_FETCH_WHITELIST="gcc* rust* llvm* ghc* hs* qt5-webe* texlive*"
[ends]

I see the following output from poudriere when it tries to connect to 
https://pkg.freebsd.org :

[...]
[00:02:01] Calculating ports order and dependencies
[00:02:14] Trimming IGNORED and blacklisted ports
[00:02:14] Ignoring security/gputty | gputty-0.9.10: is marked as broken: Unfetchable
[00:02:15] Package fetch: Looking for missing packages to fetch from pkg+https://pkg.FreeBSD.org/${ABI}/latest
Updating FreeBSD repository catalogue...
Certificate verification failed for /CN=pkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=pkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=pkg.freebsd.org
34372419584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
[...]

eventually this happens:

[...]
Unable to update repository FreeBSD
Error updating repositories!
[00:02:37] Cleaning up
[00:02:41] Unmounting file systems
[...]

By default, in poudriere.conf, this line:

PACKAGE_FETCH_URL=pkg+https://pkg.FreeBSD.org/\${ABI}

is htt*p* not https.

I can work around the problem by changing it back to http. But the exact same 
config (apart from the http being https) on a -current system 
(main-n251261-25d0ccbe101 built Dec 2nd), works. Why doesn't it work on recent 
stable/13?

fetch works for https:
% fetch https://pkg.freebsd.org/FreeBSD:13:amd64/latest/packagesite.pkg
packagesite.pkg                                       6554 kB 2906 kBps    02s

% fetch https://pkg.freebsd.org/FreeBSD:13:amd64/latest/packagesite.txz
packagesite.txz                                       6554 kB 3906 kBps    01s

I rebuilt ca_root_nss and poudriere-devel from a ports tree updated 
today Mon Dec 13 12:20:14 n568073  

poudriere-devel options:

Options        :
         BASH           : on
         CERTS          : on
         DIALOG4PORTS   : on
         EXAMPLES       : on
         QEMU           : on
         ZSH            : on
         Annotations    :
         FreeBSD_version: 1300522

thanks,
-- 
J.