Solved Invalid signature using freebsd-update

G

gariac

First of all, I checked this thread. Since the thread was old and it doesn't solve my problem, I decided to make a new thread. (I'm not sure if that is accepted behavior or not, being new to the forum.)

https://forums.freebsd.org/threads/freebsd-update-fetch-gives-error-invalid-signature.52013/

Code: 
uname -a
FreeBSD theranch 10.2-RELEASE-p7 FreeBSD 10.2-RELEASE-p7 #0: Mon Nov  2 14:19:39 UTC 2015     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Code: 
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 10.2-RELEASE from update6.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update4.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update5.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update2.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update3.freebsd.org... invalid signature.
No mirrors remaining, giving up.

The thread indicated that the pub.ssl may be bad, and deleting it would get a new copy. I renamed it (just to be safe) and did get a fresh pub.ssl, but that didn't solve the problem.

This is what I get when I try to check the OpenSSL version:
Code: 
openssl version
34379270664:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:346:line 1

So apparently my ssl is hosed. I rebuilt it from ports, but that didn't solve the problem. (The TLS works on my email, so I'm baffled how that is if OpenSSL is hosed.)
 
That is /usr/bin/openssl version above, correct?

That is interesting. Does freebsd-update IDS show files that don't match the expected hashes for 10.2-RELEASE-p7.
 
Good catch on the openssl since I now recall there is more than one (well after being reminded). Sadly:
Code: 
 /usr/bin/openssl version
34379270664:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:346:line 1

Also, just so I know:
Code: 
# which openssl
/usr/bin/openssl

On the other hand:
Code: 
# pwd
/usr/local/bin
# ./openssl version
34381683208:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:346:line 1
#
I checked that there are no symbolic links to trick me.

I don't undestand the IDS question, but maybe this is useful:
Code: 
# freebsd-update IDS
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 10.2-RELEASE from update6.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update5.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update4.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update2.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update3.freebsd.org... invalid signature.
No mirrors remaining, giving up.
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 10.2-RELEASE from update3.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update2.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update6.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update4.freebsd.org... invalid signature.
Fetching metadata signature for 10.2-RELEASE from update5.freebsd.org... invalid signature.
No mirrors remaining, giving up

I suppose I should mention I'm on a VPS (digital ocean).
 
Check if you have a /etc/ssl/openssl.cnf file and what it contains. Move it out of the way in case you have one, openssl(1) should work fine without the configuration file.
 
And we have a winner. Thank you very much.

I do have a cnf file for a VPN, so I need to investigate this further, but now I know where to look.

Code: 
# mv openssl.cnf openssl.cnf.saved
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 10.2-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.2-RELEASE-p7.
 
I tracked down the problem. When doing the update to 10.2, these lines were inserted at the top of the openssl.cnf file:
Code: 
<<<<<<< current version
=======
# $FreeBSD: releng/10.2/crypto/openssl/apps/openssl.cnf 238405 2012-07-12 19:30:53Z jkim $
>>>>>>> 10.2-RELEASE

I made all the lines comments. Stating the obvious (but perhaps useful for search engines):
Code: 
#<<<<<<< current version
#=======
# $FreeBSD: releng/10.2/crypto/openssl/apps/openssl.cnf 238405 2012-07-12 19:30:53Z jkim $
#>>>>>>> 10.2-RELEASE
 
Is there is log of conf files with this merge issue? I'd hate to have potential landmines in the OS.
 
You must log in or register to reply here.
Back
Top