Problems with sites using Let's Encrypt certificates
Nelson H. F. Beebe
beebe at math.utah.edu
Wed Oct 13 05:26:55 PDT 2021
Thanks to help from my colleague who is a network expert, the failure
of "pkg install pkg" on my new DragonFlyBSD 6.0 VM has been resolved.
Here is what on saw repeatedly over the last two weeks:
# pkg install pkg
Updating Avalon repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
...
Here is what we did to diagnose and workaround the failure:
(1) On another machine, check the certificates on the DragonFlyBSD master site:
% openssl s_client -connect mirror-master.dragonflybsd.org:443 -showcerts
CONNECTED(00000003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
... long output ...
I'm advised that such certificates expire in about 90 days, and
then renew automatically, so by the end of December, my VM might
finally be usable. That is hardly acceptable.
(2) On the VM running the new 6.0 release, look at this file:
% less /usr/local/etc/pkg/repos/df-latest.conf
# If multiple repositories are enabled, they are ordered by their priorities
# and then listing orders.
# United States, California
Avalon: {
url : https://mirror-master.dragonflybsd.org/dports/${ABI}/LATEST,
mirror_type : NONE,
signature_type : NONE,
pubkey : NONE,
fingerprints : /usr/share/fingerprints,
priority : 0,
enabled : yes
}
There are 31 mirror sites listed, but all but the first have "enabled: no".
(3) Use step (1) above to check the certificates of `nearby' mirrors
successively until finding that mirrors.nycbug.org has a
still-valid certificate.
(4) Set "enabled: no" in the df-latest.conf file for mirror-master.dragonflybsd.org
and "enabled: yes" for mirrors.nycbug.org.
(5) Run
# pkg install pkg
.... success ....
# pkg install ... many more ....
My VM is now usable, and up to date.
I remain puzzled, however, why the mirror-master.dragonflybsd.org site
could have had an expired Web certificate for the last two weeks
without manual repair and reports on this list that first appeared on
30-Sep-2021, the day the certificate expired.
194) 30-Sep Antonio Huete = Problems with sites using Let's Encrypt certificates (9820 chars)
195) 30-Sep Antonio Huete = Re: Problems with sites using Let's Encrypt certificates (10187 chars)
197) 1-Oct =?UTF-8?B?SsOhd Re: Problems with sites using Let's Encrypt certificates (20573 chars)
198) 6-Oct "Nelson H. F. B Re: Problems with sites using Let's Encrypt certificates (2526 chars)
199) 6-Oct Phansi Re: Problems with sites using Let's Encrypt certificates (12079 chars)
200) 6-Oct Antonio Huete = Re: Problems with sites using Let's Encrypt certificates (11948 chars)
Also, if the df-latest.conf file had 2 or 3 sites with "enabled: yes",
then I expect that the pkg command might have retried on multiple
sites to finding a working mirror. In the Linux world, I've seen
package installer try another mirror if one is unreachable.
-------------------------------------------------------------------------------
- Nelson H. F. Beebe Tel: +1 801 581 5254 -
- University of Utah FAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCB Internet e-mail: beebe at math.utah.edu -
- 155 S 1400 E RM 233 beebe at acm.org beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------
More information about the Users
mailing list