From nobody Thu Jul 04 01:51:53 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WF0554rzsz5MjXk for ; Thu, 04 Jul 2024 01:52:09 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic310-22.consmr.mail.gq1.yahoo.com (sonic310-22.consmr.mail.gq1.yahoo.com [98.137.69.148]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WF0552QRTz4ClG for ; Thu, 4 Jul 2024 01:52:09 +0000 (UTC) (envelope-from marklmi@yahoo.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720057926; bh=Al8eEWO3oaT4v3QeRoftEM6YPaTOEkbUGN0BfO7UwrE=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From:Subject:Reply-To; b=jCwKaKnKqUUciJPq0xXxOmUIZ3tTXSHohdXQkNRVU3BeCddb5y+EM2u2a2YpsmOWlQvNMSACXMusmaLM9BHKvCDvfkGnTbg5yugtsQHWbPQi6OLBl7xc4N3HVdQdem3jy6rntz8oNz1Ywj82vDWi+k9uiHXpoVZxy2KFjybFotRLRhONSsG3SncQA61E+7+8e2s5aIXfCRVS4mvfvyBXSUEiJfRsdFweJtYARCRMEpSGTt0NhvHBX4r/+tN1n9Q7zChHVBRUHcpTDLnQEpWaA5Cck3MRy0PXc1V0fr1neZkpYXbNlSuhMo2LuTPt6u8RyCYzMhqE0XNrtRzQnV0Gfw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720057926; bh=AFMadzLTrRLw7w+6WZtPWKWjiWVnel6B9fEa4UkQWll=; h=X-Sonic-MF:Subject:From:Date:To:From:Subject; b=HoKj5RP7YQ2DmwqGs+HirLhY0+mVvwq9OVLAYqDN0TJVr0xQbsdqFEGkIPVl1f1aYacPM0IgYlTUEkVcGeGxMlpjF4QuT4heNREkdw4uCkqS7RBdNI9sF3z7hi3+LntCe5lXANAPJ5o3W2xyICa0fyiuOcNv6riGRAZl+nXlVnbJB5HnzAukZFdzdW1z4qJ+fBoP0e3W3dlUG3FdKh+Z8YdWzOYHNpaNLAR21QTPfPvTODYyHvbThZMryNRSuqdSCZm+QzzrPGeS7MF3puGLVUWBWTD3u3EodV7bO0LQOhmwZ3Cj3x/QI8ovbmQ8JTB5vE0Jyld4X+bUBJf8BXxVAQ== X-YMail-OSG: eTf.MOUVM1mZ6aL6VCgJWCDjOYHgNY2702R7NUU0V1kh56cAGKOS6kijUpntdpN 6wIm6RC_rfAz8tHuqRfvZxiWsqjEfQ2fcQSrjCuT12TAAugoZcvb.LXe.8agUz9AFiZRwcA8zEtA AWF.7xYH8e..VvssuyPoA87gbmpfsoHEuI8af5klss.H598Wo1No2oVc5fm68FY6VjeTkWPvR3Hf ogCI9z05IuOXj69yn8TlIczXn6mbpxg.9SLx5DFwPgnwa_oHc9NetF6LZx1VYBPi0IOwwNbEVR3e IX3jdrdgIuTFFVnQpT6P9M6QclEtcGE8azsv4GeC9rKxkLip6YJ16dupIGVXIJhh4ORoowS8us75 YgWMwLBN2npGhJZuqevuwK34Xjvu8KaY8hS9Shk9CunfOM5Y94cdAkwR6QIpDrOqNb2avxgjKVlA utc0DfkwZ6VXxXfsWC3s.93SAU6vfAhHVZzCFt1tPb0AoOHM_nlWG7G3h4.DWjeteCJBb1TqexWi qpZ5hcWWwV5CUCGosWWqWLoiWnNeLi1PJ1GnOt112i9K2sstsQzLGvIa760CT.3HACzuRZXpjQTc 31bJhixgiM3FCgkDjBHAtAhzqo5ocuXlS9xwiOdtXGxKdv.oUToVXMWc56qHFlUne_NosRQEtlED uXLY6YpeWLWTAhgbhJwyyDjyLfeDLyZiWlKVuwHs9mRs2GED2DZxUyl6aACONzN34YMpy4.e1osL g2OwDij8IK3pxrIBVtoD_ZhJSeEFLqhxlHet_crQ5hpIkZhAix8mQTkKyJABrZqSkhbRGjpdVh.f XkqcNd1R5R78RS0xZn02.y3In_DQJi5z.6N_gCGaIfkI03Zpvph8VPSxKSvHwT0XcgPCRzoTEjem GnyJgYQAeMUL_MReN4T3uScPkokU3IdVjOCeTXhO_F09MXK.IzdlC3WdutFXZFqFxnBplRttmTpW 9GTDc.CuRlqmN6u8JmpBoty_dsPuXDbyG5d00d3bxVHwThBsSeN2wcHGJJcCgc5PzILzNERH4ML0 S7lfJv7evlyzpirqj_5hpALJ.Iudlr6_WqWbVhLyGpLyaCJAW0pfN5e3D8JEpJ_MqBJo1_TX2ZT7 SSxbNGDp5QrLJ3dIUzhYlTW1YmhcGMxmA3mtBiUSh58qTD22zS5QOO0a2YfyhZiK8NvDfsMnQfcL 9jETvG6CbKBNrhsIZpxMd7_VFf.Q49VTaB2h90T5_HKxihOiC7zqECfgmoWurHK9057AdY4Cd1tE 9GWlHob5K64vHcAtxXATXSZLGl8YzSi_f5UKIiszEjbOF77ID0yzt._US8Q.cF5oHWU.MAm1ekMD E_.iJ1oNrHhVAVmqJO6TNKbZcnvHk9dezGgm0hGomWv6SJDrfirijc3PtPTBv8ThT3wW.7oB69RG 3QuNJz06pj7vymg29HPROOwnOT8z0djI0Jy_pWyhNOBZIE7losMaUIWskrjcPylBmk0r8RcEYvBY OWzHzU3y_knS.6m9sOknKQZFpC2MQsYEQOmO_fnoCzRU1oyBMHa1tGf3.hUkeBe87XP_Sc58j7sI LuN58VMXCRpMBgbM33uiZfZiCswoBlf.waUH1Eu0Ft9QQKVbB7WGf.LC0F_vfElhPvEJ80H10vwv ufjGGu5QFl0d.fLhMCQxSDTrY3fgDyf2GNVSxTE7vk4Pem0oBCH9x149GphXS75jBzVih.WUbbad I1.S5rrLxnc8ghMXQw01SFtQTu2ZQuDpmWiPDCLcKi1Impsc2qCFvcv0JpfyaBabNvJ1FbhWcPDh xeuMCj.FwNwvCtCgmu7UJRx4iGrhgzTWjJwetQ2LHvkqFz9.Jc2FBKFE3th745HqY6TH_PZ_5PSl hVmhnKFIYOOPNvSNkileJDfIkqv__9JiCsaL32evEPjpvp3YNbW2y4NZ810Q6UeAqijw4bWjlFnl z5t_oEgcCaJKGfe3dd9DaNvaE7q7D00Uhrcc7gNr8FHYOfQQsbnubqnqx7Kd_HAh0YQ0LJ27k.Oe QBBBJqbV5NJ1d9XFCZp7tVPyjGxtf9jvNsrCl2bBQRR49W2xaadRaDvoTtPraJnLX7g4HUa3POe3 PBmPyr6anpIXvzTk4eMcWduecjaStrRO7crZOKA5VCa.RdvXIHyWUZlkHRd0HM2WKw5AoZAcVMef qwquZMIKH1ZWef_aDeJzrmHoSH.SZxvYdDA8am6Baj_dvxc2VX2btlrUAPxTTROrFqLJL9huRt3K bgRTVozhW_ciyl9Muy9n9W11CRcYnH1GkHXHhCUQL8nuuFcbALDxTANvabtZbj_SCcPbP2.p5lQo - X-Sonic-MF: X-Sonic-ID: d5ffc138-4330-4d20-a612-fc010a7db673 Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.gq1.yahoo.com with HTTP; Thu, 4 Jul 2024 01:52:06 +0000 Received: by hermes--production-gq1-5b4c49485c-pghqv (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID dc02e9543f42435bb01faf460cfd61f8; Thu, 04 Jul 2024 01:52:04 +0000 (UTC) Content-Type: text/plain; charset=us-ascii List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid" From: Mark Millard In-Reply-To: <0377045B-3DF8-4B25-9075-6F67F9E7194B@freebsd.org> Date: Wed, 3 Jul 2024 18:51:53 -0700 Cc: FreeBSD-STABLE Mailing List , Karl Denninger Content-Transfer-Encoding: quoted-printable Message-Id: <769FF550-3F6F-4825-ACF5-6E9043D7F1C7@yahoo.com> References: <5667D5C0-44F7-4B40-8F63-50D5973D220D.ref@yahoo.com> <5667D5C0-44F7-4B40-8F63-50D5973D220D@yahoo.com> <0377045B-3DF8-4B25-9075-6F67F9E7194B@freebsd.org> To: Philip Paeps X-Mailer: Apple Mail (2.3774.600.62) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US] X-Rspamd-Queue-Id: 4WF0552QRTz4ClG On Jul 3, 2024, at 17:47, Philip Paeps wrote: > On 2024-07-04 01:27:03 (+0800), Mark Millard wrote: >> Bootstrapping pkg from = pkg+https://pkg.FreeBSD.org/FreeBSD:14:aarch64/quarterly, please wait... >> Certificate verification failed for /CN=3Dpkg.freebsd.org >> 0020616CE1680000:error:0A000086:SSL = routines:tls_post_process_server_certificate:certificate verify = failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890: >=20 > As far as I can tell, at the time of this writing, all fifteen = pkg.freebsd.org sites have the same certificate, and OpenSSL is happy = with it. >=20 >> Note the "pkg+https://". >>=20 >> I had separate problems yesterday that I side stepped by >> testing use of just "pkg+http://", which worked. See: >=20 > Use pkg+http. This is the default. Hmm: # grep http /usr/src/usr.sbin/pkg/FreeBSD.conf.* /usr/src/usr.sbin/pkg/FreeBSD.conf.latest: url: = "pkg+https://pkg.FreeBSD.org/${ABI}/latest", /usr/src/usr.sbin/pkg/FreeBSD.conf.quarterly: url: = "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", Releases, snapshots, pkgbase, and artifacts all explicitly end up with https in /etc/pkg/FreeBSD.conf What the pkg program has as a default (if anything) is not in use for such. And I likely made all variants that I added as /usr/local/etc/pkg/repos/*.conf files based on copying /etc/pkg/FreeBSD.conf and then editing the copy, leaving the https in place. Again the .conf files matter, not the program defaults. > Packages are signed. Transport layer security does not provide any = additional security. (Anticipating the usual argument: it doesn't = provide privacy either - packages are trivially fingerprinted by file = size.) I was just following the standard materials FreeBSD provides. I'd not have made the argument that you reference. I just figured FreeBSD was already using what folks more expert than I had classified as the thing to use for the most part. >> pkg with -d for the https context had its debug output >> reporting: >>=20 >> * SSL certificate problem: certificate is not yet valid >=20 > Does the system being bootstrapped have a real-time clock? Common = causes for this error are clocks set to 1970-01-01 or 2000-01-01. /var/log/messages confirms the time issue for my example boots that had the problem: it stayed back at Mar 16, not updating via ntpd as it normally does. (That date is probably from UFS. The system had not been booted since back then.) >> It happened to be using 204.15.11.66:443 for the https activity. >=20 > For what it's worth: 204.15.11.66 =3D pkg0.tuk.freebsd.org. Yep, I'd found that. pkg0.tuk.freebsd.org is the expected place for my context. > root@pkg0.tuk:~ # openssl x509 -noout -in = /etc/clusteradm/acme-certs/pkg.freebsd.org.crt -dates > notBefore=3DJun 1 20:26:18 2024 GMT > notAfter=3DAug 30 20:26:17 2024 GMT >=20 Mar 16 is not in that range, for sure. Relative to the system, the certificate was in the future, matching the wording presented. It does seem that /etc/pkg/FreeBSD.conf should avoid the https notation so that it presents an appropriate default. Thanks much, Mark =3D=3D=3D Mark Millard marklmi at yahoo.com