From nobody Thu Jul 04 02:11:11 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WF0W81lXvz5MlM9 for ; Thu, 04 Jul 2024 02:11:16 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WF0W81HnNz4FBn; Thu, 4 Jul 2024 02:11:16 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720059076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=L4jfw15fx6IeJCEs6iswmm2B+QoM86oC1xk5t9KZzSw=; b=c32fiVYMXhqwoem4Te4Hi3Q8fh2QBbodWNupYLIIotOYvGhCj0pBq/E+7nVRmXSmCICqtu KfDSXxvhG2orTws5qH+p5ONv8aF/M3pP2xEVRP/Hc4ZBruBjKLGYppfElZsYJXWXZPuoaW pECtnf55J23BofQ1UgyONBaopHijOXiUzsxVwlbstZnEgsFNF5O86fNHEfXXfRv5RmgR6c qSEEyOCQHYiqH5Tga8rPBX4AmwvAhipfX48m0DBp0PPSz4F8Ir/Wa0EveXYWEUjtl86Qsp fzN8GAr2qjsROrGPL5k8Pd/gWzlRfyb2PoW3gLDeLZ4OFmUQWn+kxx63l6fgIA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720059076; a=rsa-sha256; cv=none; b=VKk/9m0zvlD8hLpVtIJVmH0+r4GNrSGM+tISBop33SpLbews/yby+hjEUWyuVldfY6spQm ySgU3Ibvch9eS7oYCTvtdiCIfWusOhzda/D3NDlOI6I+c4K5KkPJNwuX1G/8CbmAGQP5/f Gn4SfXFG23y7L0qFMe0UK4DXj7SosuDNwlw9tzFMEmORUnpfVxBt+7zO+Sr66zqaYGhPg5 2AnSdafWbAvwuVE1aDLQWbD2KK86CKD5b0ruWaRclebz/AJbwHHleEMB8OfG5p9ylemQR2 NHenkdSnRa1dHQx705XQKJ4ePN363pLp+CtKBbAfv5/8LyaOt7coCyXzUA/kAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720059076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=L4jfw15fx6IeJCEs6iswmm2B+QoM86oC1xk5t9KZzSw=; b=AxSFsRDoOSg5OaHJdlY/qpnH4aIGMdLboi36ityXonNleCfLFJ1QBqv3duAhQRJnChkhIk T06eBBpyVnDnVcLhKlxki5k7dIYAadbv68NidTbdH+J/y+AoR8bsaobu3LyF9w7zUM2ENB Rx3+g8CKxnIUIqIgf9YbTezJats2lo0ZLm6NxXccs5GIrercxhAziXopiQQyHd9lRf2VOL 9iM26uiomqh9oi2IpT7s5a87g8q5ExVlsl73209yB5LF4X5p4bX4en1jQ8TSYtj6KBjdy8 wcGVBszMln1iT1wSG7GFj6CofGf95x350pfa5X6baP5k1jwj3hGYnqOh5nQaFg== Received: from fauth1-smtp.messagingengine.com (fauth1-smtp.messagingengine.com [103.168.172.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WF0W774YjzL70; Thu, 4 Jul 2024 02:11:15 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfauth.nyi.internal (Postfix) with ESMTP id 2143C120006B; Wed, 3 Jul 2024 22:11:15 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 03 Jul 2024 22:11:15 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudekgdehgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffoffkjghfgggtsehttdhmtdertddtnecuhfhrohhmpefrhhhilhhi phcurfgrvghpshcuoehphhhilhhiphesfhhrvggvsghsugdrohhrgheqnecuggftrfgrth htvghrnhepvdehheekgffhieetheetudduuefhvdegtedtiefhffelueetgeegtedutddt udefnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpodhmvghsmhhtphgruhht hhhpvghrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfeehudektddtkedqphhhih hlihhppeepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdrihhs X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 3 Jul 2024 22:11:13 -0400 (EDT) From: Philip Paeps To: Mark Millard Cc: FreeBSD-STABLE Mailing List , Karl Denninger , Baptiste Daroussin Subject: Re: pkg_https:// failures related to, for example, "SSL certificate problem: certificate is not yet valid" Date: Thu, 04 Jul 2024 10:11:11 +0800 X-Mailer: MailMate (1.14r6038) Message-ID: <2AFD1E26-C71D-41D0-BA46-E64DFCE5C8EC@freebsd.org> In-Reply-To: <769FF550-3F6F-4825-ACF5-6E9043D7F1C7@yahoo.com> References: <5667D5C0-44F7-4B40-8F63-50D5973D220D.ref@yahoo.com> <5667D5C0-44F7-4B40-8F63-50D5973D220D@yahoo.com> <0377045B-3DF8-4B25-9075-6F67F9E7194B@freebsd.org> <769FF550-3F6F-4825-ACF5-6E9043D7F1C7@yahoo.com> List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2024-07-04 09:51:53 (+0800), Mark Millard wrote: > On Jul 3, 2024, at 17:47, Philip Paeps wrote: >> On 2024-07-04 01:27:03 (+0800), Mark Millard wrote: >>> Bootstrapping pkg from >>> pkg+https://pkg.FreeBSD.org/FreeBSD:14:aarch64/quarterly, please >>> wait... >>> Certificate verification failed for /CN=pkg.freebsd.org >>> 0020616CE1680000:error:0A000086:SSL >>> routines:tls_post_process_server_certificate:certificate verify >>> failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890: >> >> As far as I can tell, at the time of this writing, all fifteen >> pkg.freebsd.org sites have the same certificate, and OpenSSL is happy >> with it. >> >>> Note the "pkg+https://". >>> >>> I had separate problems yesterday that I side stepped by >>> testing use of just "pkg+http://", which worked. See: >> >> Use pkg+http. This is the default. > > Hmm: > > # grep http /usr/src/usr.sbin/pkg/FreeBSD.conf.* > /usr/src/usr.sbin/pkg/FreeBSD.conf.latest: url: > "pkg+https://pkg.FreeBSD.org/${ABI}/latest", > /usr/src/usr.sbin/pkg/FreeBSD.conf.quarterly: url: > "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", > > Releases, snapshots, pkgbase, and artifacts all explicitly > end up with https in /etc/pkg/FreeBSD.conf Sorry. The default does seem to have changed to HTTPS since I last looked. The commit log suggests it was done only because it is now possible. I don't think it's a good idea. It only adds work (and work is heat) for no benefit. >>> pkg with -d for the https context had its debug output >>> reporting: >>> >>> * SSL certificate problem: certificate is not yet valid >> >> Does the system being bootstrapped have a real-time clock? Common >> causes for this error are clocks set to 1970-01-01 or 2000-01-01. > > /var/log/messages confirms the time issue for my example > boots that had the problem: it stayed back at Mar 16, not > updating via ntpd as it normally does. (That date is > probably from UFS. The system had not been booted since > back then.) That's what I suspected. And this is another reason why HTTPS is a terrible default for pkg. I don't think we should require a system to keep (reasonably) accurate time in order to be able to download packages. > It does seem that /etc/pkg/FreeBSD.conf should avoid > the https notation so that it presents an appropriate > default. I agree. Adding bapt@ to Cc:. I think this needs to be reverted. It should probably also be an errata candidate so folks running releases can update packages even when their clocks get out of sync. In addition to needlessly generating heat, pkg+https reduces the overall security of the system by making it more difficult for some installations to receive updates. For the avoidance of doubt: I completely support HTTPS as a default for web traffic. Privacy is important. But pkg downloads are not web traffic. Philip