Re: pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid"
- Reply: Mark Millard : "Re: pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid""
- In reply to: Mark Millard : "pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid""
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 04 Jul 2024 00:47:20 UTC
On 2024-07-04 01:27:03 (+0800), Mark Millard wrote: > Bootstrapping pkg from > pkg+https://pkg.FreeBSD.org/FreeBSD:14:aarch64/quarterly, please > wait... > Certificate verification failed for /CN=pkg.freebsd.org > 0020616CE1680000:error:0A000086:SSL > routines:tls_post_process_server_certificate:certificate verify > failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890: As far as I can tell, at the time of this writing, all fifteen pkg.freebsd.org sites have the same certificate, and OpenSSL is happy with it. > Note the "pkg+https://". > > I had separate problems yesterday that I side stepped by > testing use of just "pkg+http://", which worked. See: Use pkg+http. This is the default. Packages are signed. Transport layer security does not provide any additional security. (Anticipating the usual argument: it doesn't provide privacy either - packages are trivially fingerprinted by file size.) > pkg with -d for the https context had its debug output > reporting: > > * SSL certificate problem: certificate is not yet valid Does the system being bootstrapped have a real-time clock? Common causes for this error are clocks set to 1970-01-01 or 2000-01-01. > It happened to be using 204.15.11.66:443 for the https activity. For what it's worth: 204.15.11.66 = pkg0.tuk.freebsd.org. root@pkg0.tuk:~ # openssl x509 -noout -in /etc/clusteradm/acme-certs/pkg.freebsd.org.crt -dates notBefore=Jun 1 20:26:18 2024 GMT notAfter=Aug 30 20:26:17 2024 GMT Philip