Solved ca_root_nss 3.57 and issue with fetch

CyberCr33p

CyberCr33p

After I upgrade "ca_root_nss 3.56" to "ca_root_nss 3.57" I get this issue with fetch:

Code: 
fetch https://www.google.com
Certificate verification failed for /C=US/O=Google Trust Services/CN=GTS CA 1O1
34370629632:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.google.com: Authentication error

curl and wget work fine.

I use the base OpenSSL: OpenSSL 1.1.1d-freebsd 10 Sep 2019
 
How do you install ca_root_nss? from pre-build binary package? delete it and build it from the port and report back to Forums.
cd /usr/ports/security/ca_root_nss && make install clean
 
I use ports and did portmaster --no-confirm -y -a to upgrade it.

Also I tried without success:


cd /usr/ports/security/ca_root_nss
make deinstall
make install clean


Also /etc/ssl/cert.pem is a symlink to /usr/local/share/certs/ca-root-nss.crt (without it wget shows the same error).

But fetch still doesn't work.
 
I found a way to fix it.

I create a symlink from /usr/local/etc/ssl/cert.pem to /usr/local/share/certs/ca-root-nss.crt and now it works.

But shouldn't fetch read the certificates from /etc/ssl/cert.pem ?

Can you please run this command to your system?


ls -la /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem
 
I have some more information.

I check an older backup and /usr/local/etc/ssl/cert.pem has the certificates.

Today after the ca_root_nss upgrade this file shows only:

Code: 
##
##  ca-root-nss.crt -- Bundle
 
vigole commands to run:

ls -la /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.sample

and:

fetch https://www.google.com/robots.txt
 
  • Like
Reactions: a6h
The result:

uname: 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 GENERIC amd64

cd /usr/ports/security/ca_root_nss && make install clean

ca_root_nss version: 3.57

ls -la /etc/ssl/cert.pem /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem /usr/local/etc/ssl/cert.pem.sample /usr/local/openssl/cert.pem.sample

Code: 
/etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt
/usr/local/etc/ssl/cert.pem
/usr/local/etc/ssl/cert.pem.sample -> ../../share/certs/ca-root-nss.crt
/usr/local/openssl/cert.pem
/usr/local/openssl/cert.pem.sample -> ../share/certs/ca-root-nss.crt

fetch https://www.google.com/robots.txt
Code: 
Certificate verification failed for /C=US/O=Google Trust Services/CN=GTS CA 1O1
34370633728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.google.com: Authentication error

Same error here. the only difference:
Me: 34370629632:error
You: 34370633728:error
 
Please run:

tail -n 2 /usr/local/etc/ssl/cert.pem /usr/local/openssl/cert.pem

And then:

mv /usr/local/etc/ssl/cert.pem.sample /usr/local/etc/ssl/cert.pem

And then:

fetch https://www.google.com/robots.txt
 
Shouldn't fetch (because it's a OS binary) use /etc/ssl/cert.pem instead of /usr/local/etc/ssl/cert.pem?
 
Previously I had copy /usr/local/share/certs/ca-root-nss.crt to /usr/local/etc/ssl/cert.pem that's why it work for me. I think upgrading to ca_root_nss 3.57 remove this file and create a new empty file.
 
OK now it makes sense. Somehow the /usr/local/etc/ssl/cert.pem replaced with empty file and fetch stop working for SSL sites.
 
  • Like
Reactions: a6h
You must log in or register to reply here.
Back
Top