From nobody Sun Sep 04 16:42:24 2022
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MLHWC3DbQz4c9Sw
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Sun,  4 Sep 2022 16:42:31 +0000 (UTC)
	(envelope-from Axel.Rau@Chaos1.DE)
Received: from mailout5.lrau.net (mailout5.lrau.net [IPv6:2a05:bec0:26:5::73])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mailout5.lrau.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MLHWB4NGcz3tMT
	for <FreeBSD-security@FreeBSD.org>; Sun,  4 Sep 2022 16:42:30 +0000 (UTC)
	(envelope-from Axel.Rau@Chaos1.DE)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de;
	s=2022; h=To:Date:Message-Id:Subject:Mime-Version:Content-Transfer-Encoding:
	Content-Type:From:Sender:Reply-To:Cc:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=VRzxJ4elhEMtghhlh+geOj+C/kB3ciAetoxirvK+1Q4=; b=QfEItGScup2UzbzrJeKjb9RgHJ
	Y46vy20gSG0A54Rs6hd5FMde0+PIO8+pcMfVm4ed1yFX02IRoO0FZTWXhv0no+sywjl02uxuALrlG
	zaXdfwwNOeG0Pyg0M8tQuOuiiW+57JWZHHM0NUqGgyMA+AQf/PhD4M25yf9ql4mBcQHMZ/ZG+Cql1
	sKhTAFAkhwDWAPF8OiPWEJ/vmHDGvSNL8wIjGkVep+0poggN5X6w7JjZqkDItlzv2EXKnNxe6wuCG
	/wAv8fxYHBx4sRdaS876mddszjxV2UkVIiW1t/PQyzeJ9N6yTbzguPdGJww6fy9kvX5KDyL5HGxiZ
	DSWcqhXg==;
Received: from [2a05:bec0:26:5::74] (helo=imap5.lrau.net)
	by mailout5.lrau.net with esmtp (Exim 4.95 (FreeBSD))
	(envelope-from <Axel.Rau@Chaos1.DE>)
	id 1oUshW-000HMa-7D
	for FreeBSD-security@FreeBSD.org;
	Sun, 04 Sep 2022 16:42:26 +0000
Received: from Axel.Rau@Chaos1.DE by imap5.lrau.net (Archiveopteryx
 3.2.0) with esmtpsa id 1662309745-10753-8168/7/2; Sun, 4 Sep 2022
 16:42:25 +0000
From: Axel Rau <Axel.Rau@Chaos1.DE>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
Mime-Version: 1.0
Subject: pkg 1.18.4 refuses local CAcert on 13.1-RELEASE-p2
Message-Id: <C5DE50D8-F4D7-4346-8E54-8C0E97B2CDD5@Chaos1.DE>
Date: Sun, 4 Sep 2022 18:42:24 +0200
To: FreeBSD-security@FreeBSD.org
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-Rspamd-Queue-Id: 4MLHWB4NGcz3tMT
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=chaos1.de header.s=2022 header.b=QfEItGSc;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of Axel.Rau@Chaos1.DE has no SPF policy when checking 2a05:bec0:26:5::73) smtp.mailfrom=Axel.Rau@Chaos1.DE
X-Spamd-Result: default: False [-2.90 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	MV_CASE(0.50)[];
	R_DKIM_ALLOW(-0.20)[chaos1.de:s=2022];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[2a05:bec0:26:5::73:from];
	DWL_DNSWL_NONE(0.00)[chaos1.de:dkim];
	R_SPF_NA(0.00)[no SPF record];
	MLMMJ_DEST(0.00)[FreeBSD-security@FreeBSD.org];
	RCVD_IN_DNSWL_NONE(0.00)[2a05:bec0:26:5::74:received];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:197071, ipnet:2a05:bec0::/29, country:DE];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_NONE(0.00)[];
	FROM_HAS_DN(0.00)[];
	DKIM_TRACE(0.00)[chaos1.de:+];
	DMARC_NA(0.00)[chaos1.de];
	MID_RHS_MATCH_FROM(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

While accessing my local poudriere repo I=E2=80=99m getting
- - -
Bootstrapping pkg from https://some_fqdn/131amd64-default, please wait...
Certificate verification failed for some_internal_CA
34391269376:error:1416F086:SSL \
routines:tls_process_server_certificate:certificate \
verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
- - -
but openssl verify shows successful verification:
- - -
# openssl s_client -connect some_fqdn:443 -6 -verify_return_error | grep =
verify
depth=3D1 some_internal_CA
verify return:1
depth=3D0 CN =3D some_fqdn
verify return:1
- - -
some_fqdn is defined in /etc/hosts only.

related repo.conf has:
- - -
some-repo: {
url: "https://some_fqdn/131amd64-default" ,
mirror_type: "HTTP",
enabled: yes,
IP_VERSION =3D 6,
signature_type: "pubkey",
pubkey: /usr/local/etc/ssl/certs/repo.cert
priority: 5
}
- - -

Any help appreciated,
Axel
=2D--
PGP-Key: CDE74120  =E2=98=80  computing @ chaos claudius