New binary packages available (Sync Sept 6th 2020)

Antonio Huete Jiménez tuxillo at quantumachine.net
Wed Oct 7 15:47:09 PDT 2020


Hi,

The problem is that once you remove all packages, you remove also  
ca_root_nss, which includes the CA certificates that pkg (via  
libfetch) needs to verify a certificate against its CA.

There are several workarounds:

1) Probably the simplest one to try is adding the text below to your  
/usr/local/etc/pkg.conf, then installing ca_root_nss. Don't forget to  
remove it afterwards:

PKG_ENV {
  SSL_NO_VERIFY_PEER=1
}


2) Use the still enabled HTTP protocol in the main mirror. Ideally  
you'd just use this to upgrade pkg and retrieve ca_root_nss, then  
you'd switch again to your regular mirror via HTTPS.

Avalon: {
         url             :  
http://mirror-master.dragonflybsd.org/dports/${ABI}/LATEST,
         mirror_type     : NONE,
         signature_type  : NONE,
         pubkey          : NONE,
         fingerprints    : /usr/share/fingerprints,
         enabled         : yes
}

3) Provide your own /etc/ssl/cert.pem until you've been able to pull  
ca_root_nss. According to fetch(1) manpage (in the --ca-cert option),  
it tries first /usr/local/etc/ssl/cert.pem and then /etc/ssl/cert.pem.
Problem is that ca_root_nss has /etc/ssl/cert.pem in its PLIST, so it  
might complain if the file already exists.

Let us know if it worked for you.

Regards,
Antonio Huete



Quoting Lanir <lanir at cisns.net>:

> Hi,
>
> I tried upgrading packages using the conflict-proof upgrade technique
> linked below. I got to the point where I was running "pkg upgrade" and
> that's when this error starts appearing:
>
> # pkg upgrade
> Updating Avalon repository catalogue...
> Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's
> Encrypt Authority X3
> 34371318292:error:14007086:SSL routines:CONNECT_CR_CERT:certificate
> verify
> failed:/usr/src/lib/libressl/../../crypto/libressl/ssl/ssl_clnt.c:1121:
>
> It repeats several times but looks the same. Looking at the URL in my
> web browser I don't see any obvious problems with the certificate.
>
> What can I do to get this sorted out?
>
>
> Thanks!
>
>
> On 10/5/20 7:06 PM, Antonio Huete Jiménez wrote:
>> Dear users,
>>
>> There is a new binary package set for master and RELEASE available.
>>
>> It's based in FreeBSD Ports as of Sep 6 20:03:11 2020 with a few minor
>> cherry-picks.
>>
>> You can use the "Bullet-proof (conflict-proof) upgrade technique" as
>> described here:
>> https://www.dragonflybsd.org/docs/howtos/HowToDPorts/#index4h1
>>
>> Users that wish to report issues with specific packages, please open
>> an issue here: https://github.com/DragonFlyBSD/DPorts/issues
>>
>> Developers tthat wish to submit fixes, please go here:
>> https://github.com/DragonFlyBSD/DeltaPorts/pulls
>>
>> RELEASE-5.8
>> 30960 packages available
>>
>> master
>> 30986 packages available
>>
>>
>> - The DragonFly BSD team
>>






More information about the Users mailing list