Solved Using Poudriere repo on fresh FreeBSD

N

nicky

I have a setup where FreeBSD is running as gateway for my LAN, and in the past months I have gotten Poudriere set up to serve the ~500 packages my workstation and other machines are using on the LAN

I would then like to install pkg from my own repository, but it seems pkg is downloaded from a FreeBSD repository even if I specify my own in /usr/local/etc/pkg/repos/. Is it possible to change this? The main reason I ask, is because I would like to be able to install software on the LAN machines without them having access to the internet.

I have then tried to install the standard, or official, pkg as a way to get the process going, thinking that I can re-install pkg later with my own version. But my repository is served over HTTPS with LetsEncrypt, and pkg can't confirm the certificate before ca_root_nss in installed (and again, the confirmation process requires internet access). Is it possible to tell pkg not to verify a certificate?

I suppose it's possible to install my own certificate into FreeBSD, but telling pkg not to verify seems easier to be honest. The manual for pkg does not seem to mention the possibility.
 
nicky said:
I would then like to install pkg from my own repository, but it seems pkg is downloaded from a FreeBSD repository even if I specify my own in /usr/local/etc/pkg/repos/. Is it possible to change this?
Click to expand...
Works fine for me. Even the initial bootstrap. Make sure you disable the FreeBSD repository.
 
Thank you for the reply and sorry for the slow response.
It has been that time of the year where Taxes should be handed in where I am.

You were right about me forgetting to disable the FreeBSD repository. I have set up a jail where I have (the <domain> is just ASCII letters)
Code: 
# cat /usr/local/etc/pkg/repos/FreeBSD.conf 
FreeBSD: { enabled: no }
and
Code: 
# cat /usr/local/etc/pkg/repos/<domain>.conf 
<domain>: {
        url: "pkg+https://pkg.<domain>.dk/packages/120x64-default/",
        mirror_type: "srv",
        enabled: yes,
        priority: 100
}

When simply running pkg(8) the following output is given
Code: 
# pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.<domain>.dk/packages/120x64-default/, please wait...
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34372231168:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1925:
  (error repeated two times more)
pkg: Error fetching https://pkg.<domain>.dk/packages/120x64-default//Latest/pkg.txz: Authentication error
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

The webserver hosting the packages does not allow HTTP connections, though the certificate is a validated acme.sh certificate.

But as I would like to install the packages without internet connection, some way of not validating the webservers certificate, both when bootstrapping pkg and installing packages, would be preferred if it's possible.

Both pkg and security/ca_root_nss is built by Poudriere and available in the repository.
 
This might or might not be applicable for your purposes, but it works for me, so I'll offer it for your consideration. I always bootstrap pkg when I initially install FreeBSD on any system, by the simple expedient of downloading the FreeBSD Handbook right before exiting the installer program. That does require an internet connection at that point in the initial install, but afterwards, I believe each system should work fine with only a LAN connection, and no internet connection (although I haven't actually tested it without an internet connection) -- the point being that pkg is already bootstrapped before the first reboot, and I will require pkg later in the configuration, and a LAN connection, but, to the best of my knowledge, not an internet connection. I don't use a Poudriere repository to install packages on the target system, but rather, I just use pkg add.
 
With a Let's Encrypt certificate, you have to install security/ca_root_nss first, and, having enabled your own poudriere repo and disabled the FreeBSD one, run pkg update.
 
freultwah you run into a chicken and egg problem. In order to access the repository ca_root_nss needs to be installed. Which you can't install because the repository is only accessible on HTTPS.
 
Indeed, my mistake. The question was how to avoid using the FreeBSD pkg repo in the first place.

Well, the manual for pkg.conf provides an example how to bootstrap pkg using a private repository, but the example uses HTTP, which leads me to conclude that it's the only way. Maybe set up a single purpose web server on the LAN that only serves pkg and ca_root_nss over HTTP?
 
I suppose what I'm looking for is an option like this found in GNUs Wget
--no-check-certificate
Don't check the server certificate against the available
certificate authorities. Also don't require the URL host name to
match the common name presented by the certificate.
Click to expand...

Besides my current problem of bootstrapping pkg and start using my repository, it would have other benefits if it was possible to not validate the certificate. One of them is, that sometimes the Certificate Authority, or the path to them, does not work, which has prevented me from updating and installing software in the past. Only twice, but still. And in the future I would like to expand the repository to cover my servers, and they would have to connect through the Internet.

I don't think that it is an error if it's not possible, but verifying the identity of the server one connects to is only part of the reason to use encryption. In this day and age with encryption being the norm I just assumed it was possible to not validate certificates, since it (in my opinion) makes the infrastructure a bit more prone to failures. Like when a Certificate Authority is offline for a few hours or someone forgets to renew their certificate or simply uses snake oil certificates.

Does anyone knows who manages this part of FreeBSD?

Because to be honest I don't know what part of FreeBSD is responsible for bootstrapping pkg. I just type in 'pkg' and then stuff usually works, which is nice :)
 
pkg(8) uses fetch(3). Looking through that you might be able to get it to bootstrap by setting the SSL_NO_VERIFY_PEER environment variable.
 
Yes, that did the trick.

I simply did a
export SSL_NO_VERIFY_PEER=1
and was then able to fetch pkg. After that I updated the package list, installed ca_root_nss, restarted the jail and is now able to use the repository (but have the option to not verify the certificate in the future).

Knowing what to search for, it should be possible to configure pkg with this setting, should one want to:

Thank you all for the replys and the pointers
 
You must log in or register to reply here.
Back
Top