Re: FreeBSD 13 source code using git clone fails

From: Dave Cottlehuber <dch_at_skunkwerks.at>
Date: Mon, 20 Sep 2021 15:20:38 UTC
On Mon, 20 Sep 2021, at 14:47, Stefan Parvu wrote:
> Hi,
> 
> Im trying to get the source code, for FreeBSD 13 release. I did:
> 
> # cd /usr
> # git clone -b releng/13.0 https://git.freebsd.org/src.git src
> Cloning into 'src'...
> fatal: unable to access 'https://git.freebsd.org/src.git/': SSL 
> certificate problem: certificate is not yet valid
> 
> or
> 
> # git clone -o freebsd https://git.FreeBSD.org/src.git src
> Cloning into 'src'...
> fatal: unable to access 'https://git.FreeBSD.org/src.git/': SSL 
> certificate problem: certificate is not yet valid
> 
> !? I have ca_root_nss installed version 3.63 … Anything I need to know, 
> or am I doing something wrong?
> 
> Thanks,
> Stefan

Likely your local clock is out of sync, try running ntpdate to check:

## query only
$ ntpdate -v -q pool.ntp.org
20 Sep 15:15:34 ntpdate[53]: ntpdate 4.2.8p15-a (1)
server 178.251.64.52, stratum 2, offset -0.001053, delay 0.03278
server 83.137.41.12, stratum 2, offset -0.000837, delay 0.04124
server 91.206.8.34, stratum 2, offset -0.001008, delay 0.03271
server 83.68.137.76, stratum 2, offset -0.001622, delay 0.03415

And update as needed.

I have this in /etc/rc.conf

ntpd_enable=YES
ntpd_sync_on_start=YES

which should bring it into line immediately on system boot,
or `service ntpd restart`.

You should be able to check cert status using curl:

$ curl --cert-status -kvsSLo /dev/null https://git.FreeBSD.org/src.git

*   Trying 139.178.72.204:443...
* Connected to git.FreeBSD.org (139.178.72.204) port 443 (#0) <----------
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4279 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [556 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=git.freebsd.org
*  start date: Sep 10 20:14:08 2021 GMT   <------------
*  expire date: Dec  9 20:14:07 2021 GMT  <------------
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* No OCSP response received
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (91) No OCSP response received

I'm clearly connecting to gitmir.pkt.freebsd.org, yours could be different. If so, paste full curl response so we see the IP and the TLS cert details.

Best to use freebsd-questions list next time.

A+
Dave