First-time user: Expired mirror-master certificate - and other problems :(

Autumn Jolitz autumn.jolitz at gmail.com
Fri May 31 12:46:41 PDT 2024


I think this is a bigger issue.

For instance, I tried visiting https://mirror-master.dragonflybsd.org/dports/dragonfly:6.4:x86:64/ with Firefox on my Apple MacBook Pro and got:
```
Websites prove their identity via certificates, which are valid for a set time period. The certificate for mirror-master.dragonflybsd.org expired on 5/31/2024.
 
Error code: SEC_ERROR_EXPIRED_CERTIFICATE
```

Of course, there’s always openssl to tell us what’s up:

(cpython312) InvincibleReason:~$ openssl s_client -servername mirror-master.dragonflybsd.org -connect mirror-master.dragonflybsd.org:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Mar  2 11:15:56 2024 GMT
notAfter=May 31 11:15:55 2024 GMT

And before anyone mentions Wolfhound et al, this was confirmed from my MacBook, and two Dragonfly-6.4 boxes. In addition, for giggles, I enabled MUUG repo, did a `sudo pkg update --repository MUUG` and a `sudo pkg upgrade --repository MUUG ca_root_nss`.

`sudo pkg --debug update --repository Avalon` writes out many lines, most pertinent being

```
DBG(1)[764867]> CURL> attempting to fetch from https://mirror-master.dragonflybsd.org/dports/dragonfly:6.4:x86:64/LATEST/packagesite.txz, left retry 3

* Couldn't find host mirror-master.dragonflybsd.org in the .netrc file; using defaults
* Hostname mirror-master.dragonflybsd.org was found in DNS cache
*   Trying 199.233.90.72:443...
* Connected to mirror-master.dragonflybsd.org (199.233.90.72) port 443
* ALPN: curl offers http/1.1
* SSL certificate problem: certificate has expired
* Closing connection
DBG(1)[764867]> CURL> No mirror set url to https://mirror-master.dragonflybsd.org/dports/dragonfly:6.4:x86:64/LATEST/packagesite.txz
```

Regards,

Autumn


> On May 31, 2024, at 7:40 AM, Martin Ivanov <marto1980 at gmail.com> wrote:
> 
> Hello Marcin,
> welcome to DragonFlyBSD! To fix the pkg problem:
> 		    1.in /usr/local/etc/pkg/repos/, copy the df-latest.conf.sample to df-latest.conf
> 		    2. in /usr/local/etc/pkg/repos/df-latest.conf, disable the Avalon repository and enable the Wolfhound http repository. 
>                   3. pkg install ca_root_nss
>                    4. in /usr/local/etc/pkg/repos/df-latest.conf, enable the Avalon repository and disable Wolfhound again.
> 
> Best regards,
> Martin
> 
> 
>> On 31 May 2024, at 17:30, Marcin Cieslak <saper at saper.info> wrote:
>> 
>> Hello,
>> 
>> I just installed DragonFlyBSD for a first time
>> yesterday and unfortunately:
>> 
>> 1) pkg bootstrap broke pkg (as described last month
>> in https://lists.dragonflybsd.org/pipermail/users/2024-April/452255.html
>> The "Avalon" repository (whatever it is) was
>> unreachable.
>> 
>> 2) I gave up troubleshooting pkg yesterday but today
>> the cause is certain: the certificate of https://mirror-master.dragonflybsd.org/ expired.
>> This also got reported to this list a month ago,
>> so it must be a recurring event (Let's Encrypt?)
>> 
>> 3) Out of panic I tried to reinstall pkg, ca_root_nss
>> and other stuff out of dports only to find out that
>> for example security/openssl cannot be installed due to
>> security vulnerability.
>> 
>> Also many dports do not get installed because they are
>> "unmaintained", but there does not seem to be a clear
>> way to override that.
>> 
>> I was fighting some DNS issues (unrelated to DragonFly)
>> and I was sadly surprised that there is no DNS server
>> in the base anymore. (And I could not install bind9
>> due to security issue in the port).
>> 
>> Is there Kerberos in the base? I couldn't find
>> kinit/klist but some ports give me "base Heimdal"
>> as an option - is it just some leftover from FreeBSD
>> ports?
>> 
>> Initial installation also didn't go smoothly:
>> 
>> I asked the installer to encrypt /boot and the root filesystem.
>> It nicely refused to encrypt /boot but I could mark the root fs
>> as encrypted.
>> 
>> During customization phase it asked me for the encryption password
>> again asking for password confirmation, as if we were setting
>> the password again (not just mounting). This was confusing.
>> 
>> In the end, it didn't work - mountroot bailed out trying
>> to mount stuff from md0 partitions, which apparently didn't get
>> set up during the booting process.
>> 
>> So I had to go unencrypted.
>> 
>> I am sure for every problem I have mentioned there can
>> be a fix or a workaround if we go patiently through
>> the troubleshooting.  It was just very frustrating
>> and I simply gave up, and I have to send this email
>> from the FreeBSD system instead :(
>> 
>> There was a one positive surprose though: ACPI event
>> messages are set up properly out of the box
>> (unlike FreeBSD -CURRENT I use as my daily driver).
>> 
>> Marcin
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20240531/a69402a5/attachment.htm>


More information about the Users mailing list