[Bug 213448] The /etc/rc.d/ntpd script cannot fetch NTPD leap-seconds file if ca_root_nss package not installed

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Oct 13 12:58:00 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448

            Bug ID: 213448
           Summary: The /etc/rc.d/ntpd script cannot fetch NTPD
                    leap-seconds file if ca_root_nss package not installed
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: vivek at khera.org
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

I booted up a test VM I have that hasn't been started for a while. The console
logged this:

Oct 13 08:36:25 devbox kernel: Certificate verification failed for
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root
Certificate Authority - G2
Oct 13 08:36:25 devbox kernel: 34380992136:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Oct 13 08:36:25 devbox kernel: fetch:
https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error

I traced it down to the lack of a proper certificate chain:

[root at devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield
Technologies, Inc./CN=Starfield Root Certificate Authority - G2
34380992136:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication
error
[root at devbox]# pkg install ca_root_nss
 [[ pkg install details elided as irrelevent ]]
[root at devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: size of remote
file is not known
leap-seconds.list                                       10 kB 8155 kBps 00m00s
[root at devbox]#

So it appears that the base system ntpd requires the package to properly
function: The "fetch" feature of /etc/rc.d/ntpd fails as shown here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-amd64 mailing list