git.freebsd.org using an untrusted certificate?

jakobbg

jakobbg

Code: 
❯ sudo git -C /usr/src pull
fatal: unable to access 'https://git.freebsd.org/src.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)

Anyone else than me experiencing this?
 
freebsd-version -kru ; uname -aKU

For us to know which version, exactly, you currently use.

Then, the certificate trust issue might have a simple explanation. (I guess, not date and time in this case.)

Also:

pkg -vv | grep -B 1 -e url -e priority

– and whether your port packages are reasonably up-to-date.


Here, no problem with

git -C /usr/doc pull --ff-only freebsd main && git -C /usr/ports pull --ff-only freebsd main && git -C /usr/src pull --ff-only freebsd main

Code: 
% freebsd-version -kru ; uname -aKU
15.0-CURRENT
15.0-CURRENT
15.0-CURRENT
FreeBSD mowa219-gjp4-zbook-freebsd 15.0-CURRENT FreeBSD 15.0-CURRENT main-n272563-52b35140528c GENERIC-NODEBUG amd64 1500023 1500023
%

Code: 
% pkg -vv | grep -B 1 -e url -e priority
  FreeBSD-ports: {
    url             : "pkg+https://pkg.freebsd.org/FreeBSD:15:amd64/latest",
    enabled         : yes,
    priority        : 2,
--
  FreeBSD-base: {
    url             : "pkg+https://pkg.freebsd.org/FreeBSD:15:amd64/base_latest",
    enabled         : yes,
    priority        : 0,
--
  aninstaller: {
    url             : "file:////media/aninstaller/packages/FreeBSD:14:amd64",
    enabled         : no,
    priority        : 0
--
  local-poudriere: {
    url             : "file:///usr/local/poudriere/data/packages/main-default",
    enabled         : yes,
    priority        : 3
%
 
Sorry - of course:

Code: 
❯ freebsd-version -kru ; uname -aKU
14.1-RELEASE-p5
14.1-RELEASE-p5
14.1-RELEASE-p5
FreeBSD core24.grimstveit.no 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 releng/14.1-524a425d3 CORE24 amd64 1401000 1401000

ntpd is running, and is verified to be correct.

I look at "(CAfile: none CRLfile: none)" and wonder if something is wrong with my certs locally somehow?

Code: 
❯ pkg info -l ca_root_nss
ca_root_nss-3.93_2:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.93_2/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.93_2/MPL20
        /usr/local/share/licenses/ca_root_nss-3.93_2/catalog.mk
 
And:

Code: 
❯ pkg -vv | grep -B 1 -e url -e priority
  FreeBSD: {
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly",
    enabled         : yes,
    priority        : 0,
 
git.freebsd.org has a letsencrypt certificate. Which should be verifiable, even if security/ca_root_nss isn't installed. Or else you'll end up with a chicken and egg problem.

Code: 
dice@maelcum:~ % openssl s_client -connect git.freebsd.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = git.freebsd.org
verify return:1
---
Certificate chain
 0 s:CN = git.freebsd.org
   i:C = US, O = Let's Encrypt, CN = E5
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Aug 24 20:20:43 2024 GMT; NotAfter: Nov 22 20:20:42 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = E5
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
 
SirDice said:
git.freebsd.org has a letsencrypt certificate. Which should be verifiable, even if security/ca_root_nss isn't installed. Or else you'll end up with a chicken and egg problem.
Click to expand...

yet I still ran into the same problem in a few jails, where git wouldn't clone/pull from any https source until I installed ca_root_nss.

Now that I think about it, maybe a certctl rehash would have been sufficient (I also had to invoke that back when I upgraded some jails from 11.X to 12.Y and I got ssl errors from curl)
 
sko said:
where git wouldn't clone/pull from any https source
Click to expand...
There is a difference between any source and the FreeBSD git and/or package servers of course. The base OS doesn't contain all CA certificates, just the ones specifically for pkg.freebsd.org and git.freebsd.org.

You could not install security/ca_root_nss if you cannot verify the certificate of pkg.freebsd.org. That's the chicken and egg problem.
 
root on UFS or ZFS?

jakobbg said:
… wonder if something is wrong with my certs locally somehow?

Code: 
❯ pkg info -l ca_root_nss
ca_root_nss-3.93_2:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.93_2/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.93_2/MPL20
        /usr/local/share/licenses/ca_root_nss-3.93_2/catalog.mk
Click to expand...

A hunch. If the .pkg is still at /var/cache/pkg then you can probably use pkg-add(8) or pkg-install(8) to force reinstallation, from the local file.

Food for thought:

1727810304108.png
 
Found and resolved the problem, with some hints from a friend:

My curl was build with GNUTLS instead of OPENSSL. So, I did an rmconfig and a source rebuild of curl, and whoppa, everything worked like it normally did.

Thanks for all the help, good people!
 
You must log in or register to reply here.
Back
Top