net/openntpd with constraint stops working after recent security/ca_root_nss upgrade

From: Michael Grimm <trashcan_at_ellael.org>
Date: Sat, 07 Oct 2023 14:59:31 UTC
Hi

I am running net/openntpd with a constraint:

	…
	constraint from "9.9.9.9"

After the recent upgrade of security/ca_root_nss to 3.93_1 I noticed a lot of warning messages (see end of mail).

Now, net/openntpd 6.8p1_7,2 stopped working:

	Oct  7 09:39:53 <daemon.err> kaan-bock ntpd[932]: constraints configured but none available
	Oct  7 09:39:53 <daemon.crit> kaan-bock ntpd[934]: constraint: failed to load constraint ca

I had to remove that constraint from ntpd.conf in order to get ntpd working again.

Is this a bug or feature with recent security/ca_root_nss?

Thanks and regards,
Michael




[13/58] Extracting ca_root_nss-3.93_1: 100%
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Skipping untrusted certificate /usr/share/certs/trusted/AddTrust_External_Root.pem (/etc/ssl/untrusted/157753a5.0)
Skipping untrusted certificate /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem (/etc/ssl/untrusted/861a399d.0)
Skipping untrusted certificate /usr/share/certs/trusted/Camerfirma_Chambers_of_Commerce_Root.pem (/etc/ssl/untrusted/f90208f7.0)
Skipping untrusted certificate /usr/share/certs/trusted/Camerfirma_Global_Chambersign_Root.pem (/etc/ssl/untrusted/cb59f961.0)
Skipping untrusted certificate /usr/share/certs/trusted/Certum_Root_CA.pem (/etc/ssl/untrusted/442adcac.0)
Skipping untrusted certificate /usr/share/certs/trusted/Chambers_of_Commerce_Root_-_2008.pem (/etc/ssl/untrusted/c47d9980.0)
Skipping untrusted certificate /usr/share/certs/trusted/D-TRUST_Root_CA_3_2013.pem (/etc/ssl/untrusted/0b7c536a.0)
Skipping untrusted certificate /usr/share/certs/trusted/EC-ACC.pem (/etc/ssl/untrusted/349f2832.0)
Skipping untrusted certificate /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem (/etc/ssl/untrusted/128805a3.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Global_CA.pem (/etc/ssl/untrusted/2c543cd1.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G2.pem (/etc/ssl/untrusted/116bf586.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem (/etc/ssl/untrusted/e2799e36.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem (/etc/ssl/untrusted/480720ec.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem (/etc/ssl/untrusted/8867006a.0)
Skipping untrusted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA.pem (/etc/ssl/untrusted/ad088e1d.0)
Skipping untrusted certificate /usr/share/certs/trusted/Global_Chambersign_Root_-_2008.pem (/etc/ssl/untrusted/0c4c9b6c.0)
Skipping untrusted certificate /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem (/etc/ssl/untrusted/def36a68.0)
Skipping untrusted certificate /usr/share/certs/trusted/OISTE_WISeKey_Global_Root_GA_CA.pem (/etc/ssl/untrusted/b1b8a7f3.0)
Skipping untrusted certificate /usr/share/certs/trusted/QuoVadis_Root_CA.pem (/etc/ssl/untrusted/080911ac.0)
Skipping untrusted certificate /usr/share/certs/trusted/Sonera_Class_2_Root_CA.pem (/etc/ssl/untrusted/9c2e7d30.0)
Skipping untrusted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (/etc/ssl/untrusted/5c44d531.0)
Skipping untrusted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G3.pem (/etc/ssl/untrusted/5a4d6896.0)
Skipping untrusted certificate /usr/share/certs/trusted/SwissSign_Platinum_CA_-_G2.pem (/etc/ssl/untrusted/a8dee976.0)
Skipping untrusted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/untrusted/62744ee1.0)
Skipping untrusted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem (/etc/ssl/untrusted/26312675.0)
Skipping untrusted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/untrusted/4d4ba017.0)
Skipping untrusted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem (/etc/ssl/untrusted/1320b215.0)
Skipping untrusted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem (/etc/ssl/untrusted/6410666e.0)
Skipping untrusted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem (/etc/ssl/untrusted/c089bbbd.0)
Skipping untrusted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem (/etc/ssl/untrusted/ba89ed3b.0)
Skipping untrusted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA.pem (/etc/ssl/untrusted/2e4eed3c.0)
Skipping untrusted certificate /usr/share/certs/trusted/Trustis_FPS_Root_CA.pem (/etc/ssl/untrusted/d853d49e.0)
Skipping untrusted certificate /usr/share/certs/trusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/untrusted/ee1365c0.0)
Skipping untrusted certificate /usr/share/certs/trusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/untrusted/dc45b0bd.0)
Skipping untrusted certificate /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/untrusted/c0ff1f52.0)
Skipping untrusted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/untrusted/7d0b38bd.0)
Skipping untrusted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (/etc/ssl/untrusted/b204d74a.0)
Skipping untrusted certificate /usr/share/certs/trusted/VeriSign_Universal_Root_Certification_Authority.pem (/etc/ssl/untrusted/c01cdfa2.0)
Scanning /usr/local/share/certs for certificates...