FreeBSD11: LetsEncrypt certificate update

[ole-tange]

Running:

sudo pkg install -y rsync

gives:

    default: Updating FreeBSD repository catalogue...
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/meta.txz: Authentication error
    default: repository FreeBSD has no meta file, using default settings
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/packagesite.pkg: Authentication error
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
    default: 34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    default: pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/packagesite.txz: Authentication error

This is apparently due to a LetsEncrypt certificate that expired.

I do not know how to fix this, so I have asked on StackExchange for a solution to this:

https://unix.stackexchange.com/questions/737022/freebsd11-certificate-verification-failed

[ole-tange]

FreeBSD 12 works. So maybe you can simply copy some files from that.

[ladar]

Hi @ole-tange ... actually, the pkg.sh scripts for FreeBSD 10/11 are both updating the CA file whenever I build a new Robox release. Which means, so you might want to check that you're using a recent Robox version of the FreeBSD 11 box. It's still possible this cert lapsed recently. I'm aim for new releases every 1-2 weeks, but I've been slipping towards 3-4 weeks lately because of how long it takes to build, my other commitments, etc. Either way, the CA file should get rebuilt during the next build, which should fix the problem. I'm overdue to start kickoff another build, but two of the Robots are being used for something else, so I need to wait till they;re free.

Of course you can always tweak your repo config and force it to use HTTP. I hate this solution personally, which is why I only get the 2-3 packages needed to rebuild the CA file over HTTP, compare them to static hash values, then rebuild the CA file so the reset of the install can download packages over HTTPS. But I'm a little more paranoid than most. In theory HTTP should be safe, since FreeBSD still uses signatures on the package files to verify the download. So all you're leaking to an observer is the list of packages you're installing (and from where), which most people don't consider sensitive.

[ole-tange]

I updated to 4.2.14. The problem is still there.

When would you say I should retry updating? In a week?

[ladar]

@ole-tange the Windows/MacOS systems are both tied up on another project, so I'm waiting for them to finish. Hopefully by the end of the week, which would mean mid to late next week, assuming there aren't too many broken builds I need to investigate/resolve.

In the interim, I'm curious whether running the pkg.sh on your existing box fixes he issue? If not there might be something else going on.

It should be safe to run that script as root as-is but it's been awhile since I wrote it, so I might have forgotten something. If the box is important, I'd suggest walking through it manually so you can edit/tweak each command as needed.