Solved fetch fails with SSL certificate error on https://download.freebsd.org/

[abishai]

Hello, looks like I can't fetch from https://download.freebsd.org/ anymore.

abishai@alpha:/home/ansible % fetch https://download.freebsd.org/ftp/releases/amd64/amd64/12.2-RELEASE/base.txz
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34370654208:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://download.freebsd.org/ftp/releases/amd64/amd64/12.2-RELEASE/base.txz: Authentication error

I thought i twas a ca_root_nss issue, but I have more or less recent cert bundle:

abishai@alpha:/home/ansible % pkg info ca_root_nss
ca_root_nss-3.58
Name : ca_root_nss
Version : 3.58
Installed on : Wed Dec 16 19:58:02 2020 UTC
Origin : security/ca_root_nss
Architecture : FreeBSD:12:*
Prefix : /usr/local
Categories : security
Licenses : MPL20
Maintainer : ports-secteam@FreeBSD.org
WWW : UNKNOWN
Comment : Root certificate bundle from the Mozilla Project
Options :
ETCSYMLINK : on
Annotations :
repo_type : binary
repository : local
Flat size : 786KiB
Description :
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.

This port directly tracks the version of NSS in the security/nss port.

Does fetch need more to operate correctly? I remember that I've fetched 12.1 after release without any issues.

 

[Jose]

Looks like you hit it right when the certificate was being updated

nmap -p 443 --script ssl-cert download.freebsd.org                                                         
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-16 15:33 PST
Nmap scan report for download.freebsd.org (149.20.1.200)
Host is up (0.010s latency).
Other addresses for download.freebsd.org (not scanned): 2001:4f8:1:11::15:0
rDNS record for 149.20.1.200: ftp0.isc.freebsd.org

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=download.freebsd.org
| Subject Alternative Name: DNS:download.freebsd.org, DNS:ftp.freebsd.org
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-12-16T20:17:25
| Not valid after:  2021-03-16T20:17:25
| MD5:   4f7a 535e a87a a49c 9265 c2bd 88c0 102c
|_SHA-1: d9ee 96b4 e67a 070a 2959 4786 8091 1b2a 91b4 08f3

Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds

(Cert was not valid before three hours ago)

 

[abishai]

Nope, I still have the problem.

abishai@alpha:/tmp % fetch https://download.freebsd.org
Certificate verification failed for /C=US/O=Let's Encrypt/CN=R3
34370654208:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://download.freebsd.org: Authentication error

openssl looks OK

abishai@alpha:/tmp % openssl s_client -connect "download.freebsd.org:443"
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = download.freebsd.org
verify return:1
---
Certificate chain
0 s:CN = download.freebsd.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=CN = download.freebsd.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3464 bytes and written 409 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 0CE0AD158585CF94A2122A5A9ED6D2445B8D7C90A1DF173AB4D27B78DC49241B
Session-ID-ctx: 
Master-Key: AF585B2C2811F879354FE1214278ABBAA60405C7689D29C62EEF0081526A165D0C24A8E46296E012B996F05D964DDF4B
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1608204421
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---

 

[abishai]

I've found /usr/local/etc/ssl/cert.pem not a symlink, but an empty file. I've deleted it and reinstalled security/ca_root_nss to recreate it. So, fetch(1) is working now.

 

[michaeldexter]

Also check the date of the system as SSL will fail if it is wrong. Run 'ntpdate -v -b us.pool.ntp.org' to force a sync and add the standard entries to /etc/rc.conf :

ntpd_enable="YES"
ntpd_sync_on_start="YES"