New binary packages available (Sync Sept 6th 2020)

Antonio Huete Jiménez tuxillo at
Wed Oct 7 15:47:09 PDT 2020


The problem is that once you remove all packages, you remove also  
ca_root_nss, which includes the CA certificates that pkg (via  
libfetch) needs to verify a certificate against its CA.

There are several workarounds:

1) Probably the simplest one to try is adding the text below to your  
/usr/local/etc/pkg.conf, then installing ca_root_nss. Don't forget to  
remove it afterwards:


2) Use the still enabled HTTP protocol in the main mirror. Ideally  
you'd just use this to upgrade pkg and retrieve ca_root_nss, then  
you'd switch again to your regular mirror via HTTPS.

Avalon: {
         url             :${ABI}/LATEST,
         mirror_type     : NONE,
         signature_type  : NONE,
         pubkey          : NONE,
         fingerprints    : /usr/share/fingerprints,
         enabled         : yes

3) Provide your own /etc/ssl/cert.pem until you've been able to pull  
ca_root_nss. According to fetch(1) manpage (in the --ca-cert option),  
it tries first /usr/local/etc/ssl/cert.pem and then /etc/ssl/cert.pem.
Problem is that ca_root_nss has /etc/ssl/cert.pem in its PLIST, so it  
might complain if the file already exists.

Let us know if it worked for you.

Antonio Huete

Quoting Lanir <lanir at>:

> Hi,
> I tried upgrading packages using the conflict-proof upgrade technique
> linked below. I got to the point where I was running "pkg upgrade" and
> that's when this error starts appearing:
> # pkg upgrade
> Updating Avalon repository catalogue...
> Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's
> Encrypt Authority X3
> 34371318292:error:14007086:SSL routines:CONNECT_CR_CERT:certificate
> verify
> failed:/usr/src/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1121:
> It repeats several times but looks the same. Looking at the URL in my
> web browser I don't see any obvious problems with the certificate.
> What can I do to get this sorted out?
> Thanks!
> On 10/5/20 7:06 PM, Antonio Huete Jiménez wrote:
>> Dear users,
>> There is a new binary package set for master and RELEASE available.
>> It's based in FreeBSD Ports as of Sep 6 20:03:11 2020 with a few minor
>> cherry-picks.
>> You can use the "Bullet-proof (conflict-proof) upgrade technique" as
>> described here:
>> Users that wish to report issues with specific packages, please open
>> an issue here:
>> Developers tthat wish to submit fixes, please go here:
>> RELEASE-5.8
>> 30960 packages available
>> master
>> 30986 packages available
>> - The DragonFly BSD team

More information about the Users mailing list