From nobody Mon May 26 17:06:16 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b5hxb6PLcz5wHrw for ; Mon, 26 May 2025 17:06:27 +0000 (UTC) (envelope-from bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com) Received: from a4i296.smtp2go.com (a4i296.smtp2go.com [158.120.81.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4b5hxb0pJnz3jDX for ; Mon, 26 May 2025 17:06:26 +0000 (UTC) (envelope-from bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=smtpcorp.com header.s=a1-4 header.b=kmMKJqv8; dkim=pass header.d=radel.com header.s=s481160 header.b=ca9rainw; dkim=pass header.d=radel.com header.s=20170108.radel header.b=B63sz7c6; spf=pass (mx1.freebsd.org: domain of "bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com" designates 158.120.81.40 as permitted sender) smtp.mailfrom="bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com"; dmarc=pass (policy=quarantine) header.from=radel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtpcorp.com; i=@smtpcorp.com; q=dns/txt; s=a1-4; t=1748279184; h=feedback-id : x-smtpcorp-track : date : message-id : to : subject : from : reply-to : sender : list-unsubscribe : list-unsubscribe-post; bh=01gqhdIQvU5L62hloWGmatLRJGqUIFLjVQvvAX/2o1o=; b=kmMKJqv8H2lToxU15uEKrBPUin7EnznjKDlI88xFknDbxE2BYsh3qG8xlXRsjcJ1vkE61 HNAOYLEERoU2cDuABd9Rk8P5lPxl8GCP3i7OSzkcGhTpJVQrzeytYtIaMqHa8z+a4VjvGNp r+tgB/c2oVjifVajSc1hxGtLsmlZdosFz05HO1K0ZIJPBJZZc3+CAo58FI2Udt3RaiITTjC hakdLJk/ZeARh0vpq7ghevEmdyDILKYnMekCA/dSE2l6E2H+RnF5Ps3RLZhPRJs6yRfkXLs oKo4uTrZnEaJMD4+Ck/vzQswTkj+Voz8Qjfgi1Bsrd1ns0Rf+IxjPiTopXPA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radel.com; i=@radel.com; q=dns/txt; s=s481160; t=1748279184; h=from : subject : to : message-id : date; bh=01gqhdIQvU5L62hloWGmatLRJGqUIFLjVQvvAX/2o1o=; b=ca9rainwAqGAUckAh1NsxRIF6Tt3fA2jF87hhXTVfz3WxKfZAjYOO3m2alPwu37Kw7mLY A/CVpXFeHNfAhuHalUhdekUsZV4eR9nP91UJbuJplYKYyNiCEGL0ADvfeK+9mJfRnzzjuHd oeVSJ5nsBPYjyoPi3PObhOqkB1T0borUxewaX6/8oh4mM1debhcG9th6JgPv3GDWjj+q4R6 GKIggshtPa8aYlgC9HYRJMMN7e0JggwG+lvr9BdpR5Xdq77VQNPPs1s0vuTy9wG/JFWZyjD AN6Q0AcSocbISDOlphVDfhOZg1vRHYscoFEk3kac5hmkxWPRk+1gSyzndUeg== Received: from [10.150.238.204] (helo=smtp.aws.radel.com) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97.1-S2G) (envelope-from ) id 1uJbHJ-AIkwcC8rXng-8Krr for questions@freebsd.org; Mon, 26 May 2025 17:06:22 +0000 Received: from radel.com (wsip-24-249-17-250.dc.dc.cox.net [24.249.17.250]) by smtp.aws.radel.com (Postfix) with ESMTPS id 410227D04B for ; Mon, 26 May 2025 17:06:18 +0000 (UTC) X-CGP-ClamAV-Result: CLEAN X-VirusScanner: Niversoft's CGPClamav Helper v1.19.2 (ClamAV engine v0.99.2) X-ExtFilter: Niversoft's DomainKeys Helper DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; d=radel.com; s=20170108.radel; h=Content-Type:Message-ID:Date:MIME-Version:User-Agent:Subject:To: References:Content-Language:From:In-Reply-To; b=lvbkNA1L6Z2IlXPRieSZi/uFFkmNu7UrltPkGTG4v54H6xz0xIAstYPFCK5kNB9yZz Q+6qmNZl3UheAQXuNR4cg4RF5hPRwv6rH0OUxJjSgIC7TyDXeTKc/H9/7wj1HLY0tNka NKcIPgr7LcpKgsK8nxbmmy1bOjNHfmrLXOSZvpcyPK6Lzipj1TuRMRYutyIZx/30V00r MZ8HiFnLZzCNNS2lnWj9cPD1U8k+Rsn+yZtyrduOH45DVYJjN52mwQ1qds+P93eB7VlJ 7okLu2vmjXphCIaRftV63dEpCLy2iCdLfeBYJUfeqc5y20wKOojX9pcNG+C7cA9G7GUV 4jIw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radel.com; s=20170108.radel; t=1748279178; x=1748883978; q=dns/txt; h=Content-Type:Message-ID:Date:MIME-Version: User-Agent:Subject:To:References:Content-Language:From: In-Reply-To; bh=01gqhdIQvU5L62hloWGmatLRJGqUIFLjVQvvAX/2o1o=; b=B63sz7c6O30SCEoh6rCCEfVbIlmX2QOXZJobrdjpM3JfWWN0FGqNy9sMPvpM/u QwHnzONbgMCet6zJeliQJYs2otygvrz4MFbkZJr0FlJI13UxoPqJPVtwQG9egV7c EN/IHlvimuirom4hdPuBWJw7OxZep1MFPys9DYLargBkIr+kR+v7QkyfgAQYF2SF fOwW+CvivFeIWTXe8AYu3OBwCK5Ea23HVqkGgsQ2LWZjAYFhXqdL0L1NNQ5ACBZK 6A4UzYZ0eH3DrWESN+LJ/ZGz4o/4zIY5Y0mr2by7rsgldOjtkf8yaUhAkNkkWqdp tz4AzWjgjrPGvHCxZbZW84Ug== Received: from [2001:470:880a:4389:9c08:b66d:ab45:c2b] (account jon@radel.com HELO [IPV6:2001:470:880a:4389:9c08:b66d:ab45:c2b]) by radel.com (CommuniGate Pro SMTP 6.1.14 _community_) with ESMTPSA id 3682488 for questions@freebsd.org; Mon, 26 May 2025 17:06:17 +0000 Content-Type: multipart/alternative; boundary="------------WlTMf4Cjzo0Ok1McgI0QEntf" Message-ID: Date: Mon, 26 May 2025 13:06:16 -0400 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Something wrong at git? To: questions@freebsd.org References: Content-Language: en-US From: Jon Radel In-Reply-To: X-Report-Abuse: Please forward a copy of this message, including all headers, to Feedback-ID: 481160m:481160a0-_gX2:481160sQbpsaTD5o X-smtpcorp-track: FtO7pEhT0o_f.9BVCW_xIe6OI.4EdAHwN3Ypf X-Rspamd-Queue-Id: 4b5hxb0pJnz3jDX X-Spamd-Bar: / X-Spamd-Result: default: False [0.26 / 15.00]; DWL_DNSWL_LOW(-1.00)[smtpcorp.com:dkim]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.90)[-0.904]; NEURAL_SPAM_LONG(0.86)[0.864]; DMARC_POLICY_ALLOW(-0.50)[radel.com,quarantine]; FORGED_SENDER(0.30)[jon@radel.com,bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com]; R_DKIM_ALLOW(-0.20)[smtpcorp.com:s=a1-4,radel.com:s=s481160,radel.com:s=20170108.radel]; R_SPF_ALLOW(-0.20)[+ip4:158.120.80.0/21]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ASN(0.00)[asn:23352, ipnet:158.120.80.0/22, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jon@radel.com,bounce.1q7xiksmmeyh6a2=ne1arv6omgij=in91yvb4c37dm0@em481160.radel.com]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DKIM_TRACE(0.00)[smtpcorp.com:+,radel.com:+] This is a multi-part message in MIME format. --------------WlTMf4Cjzo0Ok1McgI0QEntf Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/26/25 12:53 PM, Bob Melson wrote: > For the past several days all calls to git to update /usr/src or > /usr/ports have failed with the following error mesage: > > fatal: unable to access 'https://git.FreeBSD.org/src.git/': server > verification failed: certificate signer not trusted. (CAfile: none > CRLfile: none) > > or > > fatal: unable to access 'https://git.FreeBSD.org/ports.git/': server > verification failed: certificate signer not trusted. (CAfile: none > CRLfile: none) > > > On the surface, this appears to indicate a problem at git, but it > could also be that I've screwed something up locally. The Let's Encrypt cert offered up by git.freebsd.org went valid on 21 April, so probably has been in place since then.  It's valid in any case. Personally I'm looking a different surface than you appear to be:  "server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)" sorta sounds more like you don't trust any certs since you've deleted, moved, or broken linkage to your root CA trust store.  Do other tools that speak HTTPS (curl, wget, what-have-you) on that machine trust certs from Let's Encrypt?  That might well narrow down what's broken. BTW, going to one of those URLs from a random functional browser would have narrowed things down very quickly. -- --Jon Radel jon@radel.com --------------WlTMf4Cjzo0Ok1McgI0QEntf Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
On 5/26/25 12:53 PM, Bob Melson wrote:
For the past several days all calls to git to update /usr/src or /usr/ports have failed with the following error mesage:

fatal: unable to access 'https://git.FreeBSD.org/src.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)

or

fatal: unable to access 'https://git.FreeBSD.org/ports.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)


On the surface, this appears to indicate a problem at git, but it could also be that I've screwed something up locally.


The Let's Encrypt cert offered up by git.freebsd.org went valid on 21 April, so probably has been in place since then.  It's valid in any case.

Personally I'm looking a different surface than you appear to be:  "server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)" sorta sounds more like you don't trust any certs since you've deleted, moved, or broken linkage to your root CA trust store.  Do other tools that speak HTTPS (curl, wget, what-have-you) on that machine trust certs from Let's Encrypt?  That might well narrow down what's broken.

BTW, going to one of those URLs from a random functional browser would have narrowed things down very quickly.


-- 
--Jon Radel
jon@radel.com
--------------WlTMf4Cjzo0Ok1McgI0QEntf--