Error validating server certificate

Kurt Jaeger pi at
Sun Sep 16 16:54:33 UTC 2018


> > You will not see this if you install the security/ca_root_nss port.

> Why is security/ca_root_nss not present in base?

There are several reasons:

- The project is hesistant to endorse certificate authorities (CAs), as some
  of them might be (or become) of questionable trust-worthyness
  during the lifetime of a release and adding/changing all or some to base
  would add workload to decide which ones to include or to exclude.

- The amount of work to cut a new release or a patch for a release
  is large. If you look at the update frequency for the port:
  it would burden the project with base updates just for the CAs.

- Some suggested that the FreeBSD project should operate its own CA and
  issue certs for project sites and include the CA into base.
  Running and securing a CA is not a simple endeavour so we hesitated
  to do so.

> I mean, on a brand new install, one goes to update the sources, and just 
> the sources. And this error is issued?
> I think it looks bad. Do you agree?

Yes, we all agree that it looks bad, but we have not yet found a simple,
workable solution. Yes, it was discussed many times in the past.

pi at         +49 171 3101372              2 years to go !

More information about the freebsd-stable mailing list