Solved After migrating to new disk: unable to get local issuer certificate

jontheil

jontheil

Hi folks,

I am running FreeBSD 15.0. I had to migrate the installation to a new harddrive after the old one was beginning to fail. At the same time, I switched from an UFS based installation to one based on zroot.

Most programs runs just fine. But I can't upgrade my gitlab installation. I have followed the steps from the official documentation thoroughly but always get a lot of errors containing
Code: 
unable to get local issuer certificate
.

I guess it has something to do with migrating users or permissions, but I don't know.

I have tried to reinstall ca_root_nss and renew my letsencrypt certificates to no avail.

I would really appreciate any help whether it is a simple solution or some troubleshooting steps I could try.

Thanks in advance,
Jon

PS
I previously posted about the same issue here
 
jontheil said:
I guess it has something to do with migrating users or permissions, but I don't know.
Click to expand...
Seems more likely to be something to do with the direction you were heading in - certificates - as per the error message.

Was the old install also FreeBSD 15.0?

OpenSSL on both machines? Same version? Not using LibreSSL or anything like that?

Certificates in same locations? You didn't make any symlinks?
 
richardtoohey2 said:
Seems more likely to be something to do with the direction you were heading in - certificates - as per the error message.

Was the old install also FreeBSD 15.0?

OpenSSL on both machines? Same version? Not using LibreSSL or anything like that?

Certificates in same locations? You didn't make any symlinks?
Click to expand...
Yes, old install was same version. Have always used OpenSSL.
I am not sure what you mean talking about symlinks. Is that regarding ca_root_nss?
 
Yes, I have vague recollections that after installing (I think ca_root_nss) it offers to create a symlink.

So either that specifically, or anything along those lines where you might have installed something or created a symlink on the old hard drive.

If you were moving from an older FreeBSD version it might have been moving between OpenSSL versions, but that's not the case here.

Do you use binary packages or build from ports? If you build from ports, were you using base OpenSSL or building against a ports version?

Is the old hard drive dead now or can you check things on it? Like the symlinks, permissions, etc.

I might be throwing red herrings in your path (not intentionally!)

Is the system time correct - that can cause certificate issues.
 
Can you elaborate on the wording "migrate" and "switched".
Did you just copy over ? rsync , clone , dd , cp ?. which switches used ?
Or did you reinstall ?
is on the new and old system "freebsd-version -kru" the same ?
Did you performed "pkg update" ? Better not until git is running ....
Is time&date ok ?
pkg install -f ca_root_nss
/usr/local/share/certs/ca-root-nss.crt
cp MYOWNCERTIFICATE /usr/local/share/certs/

Maybe
certctl rehash
git config --global http.sslVerify false
 
Looks like the command you are running is run as the git user, so if you can compare the old hard drives /home/git directory - if there is such a thing? Can you login as that git account and run the command from there?
 
Just finished upgrading Gitlab on my VPS from 18.9.x to 18.11.1. No issues. I am using my own custom built repository though.
 
Alain De Vos said:
Can you elaborate on the wording "migrate" and "switched".
Did you just copy over ? rsync , clone , dd , cp ?. which switches used ?
Or did you reinstall ?
is on the new and old system "freebsd-version -kru" the same ?
Did you performed "pkg update" ? Better not until git is running ....
Is time&date ok ?
pkg install -f ca_root_nss
/usr/local/share/certs/ca-root-nss.crt
cp MYOWNCERTIFICATE /usr/local/share/certs/

Maybe
certctl rehash
git config --global http.sslVerify false
Click to expand...
The old disk was formatted with UFS, the new one with zroot.
I made a fresh install and the copied the essential stuff from /etc/, /usr/local/ and /var/ to the new installation.
My packages are build with poudriere and were all reinstalled. I tried reinstalling ca_root_nss several times.
Everything seems to work, the time and date is correct.
I am not sure what MYOWNCERTIFICATE relates to.
certctl rehash
git config --global http.sslVerify false

did not change anything.
 
SirDice said:
When exactly are you getting this error? There's lots of steps in the instruction. One of them will try to download files from the internet (mostly nodeJS stuff), that might be the part that's failing.
Click to expand...
The error occurs when running the yarn install --production --pure-lockfile part.
From the error log:
Code: 
Trace:
  Error: unable to get local issuer certificate
      at TLSSocket.onConnectSecure (node:internal/tls/wrap:1656:34)
      at TLSSocket.emit (node:events:509:28)
      at TLSSocket._finishInit (node:internal/tls/wrap:1102:8)
      at ssl.onhandshakedone (node:internal/tls/wrap:888:12)
 
Welcome to hell. I have been working with such issues for the past 10 years. Which exact command does that? If you know which one, run: `truss -f -o cmd.out <command>`. Will will see which `fopen()` OpenSSL performs to load the certificate from a potential store. There are several ways to instract OpenSSL to load and use a store. Most applications do the right thing, but some developers think they are smart and need to add convoluted detection logic. Moreover, is it failing for a public CA or your private one?
 
jontheil said:
The old disk was formatted with UFS, the new one with zroot.
Click to expand...
Just to get you onboard with the correct nomenclature, zroot is the name of the pool, the filesystem is ZFS. Either way, the filesystem is irrelevant.
jontheil said:
The error occurs when running the yarn install --production --pure-lockfile part.
Click to expand...
Alright, that's the part that downloads a bunch of stuff from the NodeJS repositories. Maybe something really obvious, but is the time correct on that machine? Also, any proxies involved? Or does this machine have direct internet access?
 
Alain De Vos said:
???
yarn config set strict-ssl false ?
yarn config set cafile MYCERT.pem ?
Click to expand...
yarn config set strict-ssl false
in fact resolved the certificate issue.
There were a lot of other issues originating from the "migration". Sadly, I can't say exactly what solved my issues. But overall it had to do with permissions. I have been using openldap authentication and had to resolve some issues related to that. Even more sadly, I had to use ChatGPT to find a resolution.
After correcting my user accounts and permissions, I finally got gitlab running again.
 
SirDice said:
Just to get you onboard with the correct nomenclature, zroot is the name of the pool, the filesystem is ZFS. Either way, the filesystem is irrelevant.

Alright, that's the part that downloads a bunch of stuff from the NodeJS repositories. Maybe something really obvious, but is the time correct on that machine? Also, any proxies involved? Or does this machine have direct internet access?
Click to expand...
Yeah, I know it was the wrong terminology witch I apologize for. I guess the more correct expression would have been ZFS on root
 
Even if most of the problems were self-inflicted, I want to say thank you for all the help and all the ideas. ❤️
 
jontheil said:
resolved the certificate issue
Click to expand...
I think that's a workaround/BandAid rather than resolving the issue as such. You are just telling it (I think, not sure) to be less strict with checking SSL certificates.

So good that it is working for you, but it might have been achieved by turning down security a notch or two.
 
You must log in or register to reply here.
Back
Top