Solved Does pkg work with SSL?

P

petabsd

Hello all,

I'm trying to set up a pkg repository (with poudriere) accessible via HTTPS. The certificates setup has been done on the server. But on the client, I am getting
Code: 
Updating myrepo repository catalogue...
pkg: Repository myrepo has a wrong packagesite, need to re-create database
Certificate verification failed for /C=US/ST=California/O=myrepo, Inc./CN=update.myrepo.com/emailAddress=update@myrepo.com
34405222008:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/home/xxx/freebsd/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180:

My current pkg.conf is:
Code: 
myrepo: {
    url             : "https://update.myrepo.com/pkg",
    enabled         : yes,
    mirror_type     : NONE,
    signature_type  : "PUBKEY",
    pubkey          : /path/to/pubkey
}

I think there might be something with my pkg.conf file, but I am not sure. Does anyone encounter a similar problem?

Thanks in advance!
 
I believe you need to install security/ca_root_nss with the symlink option enabled to create /etc/ssl/cert.pem.

From fetch(1) man page:

Code: 
--ca-cert=file
  [SSL] Path to certificate bundle containing trusted CA cer‐
  tificates.  If not specified, /etc/ssl/cert.pem is used.  The
  file may contain multiple CA certificates. The port
  security/ca_root_nss is a common source of a current CA bun‐
  dle.
 
Hi,
I am trying to develop a repository with HTTPS access to it. My repository configuration at client side is:
Code: 
myrepo: {
  url: "https://10.13.163.218/testrepo5",
  mirror_type: "none",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/ssl/certs/repo.pub",
  enabled: yes
}
The pkg(8) command works fine if I use HTTP in URL. However, it is not able to update itself when I use HTTPS in URL.

On the server side, HTTPS server is running fine and I can access the files from client using fetch(1) command on HTTPS URL.
However, I am not able to understand what I am missing with pkg such that its HTTPS is not working.
 
You must log in or register to reply here.
Back
Top