On Thu, 1 Jun 2017, Marcin Cieslak wrote: > => Attempting to fetch > https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority X3 > 34374329736:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify > failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264: > fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: > Authentication error
My temporary solution to this problem is to pin the CA certificate in the port
itself:
commit 7eec5787c09565b0b2dfc4b2cee176c8509474b2
Author: Marcin Cieślak <sa...@saper.info>
Date: Sun Jun 4 21:31:22 2017 +0000
Hardwire CA certificate to facilitate HTTPS downloads
Ports do not have a public key infrastructure to facilitate
ports that need to be fetched using https only.
So we hardcode a root certificate used by Let's Encrypt
for now.
diff --git a/shells/ksh93/Makefile b/shells/ksh93/Makefile
index 10f826c..c1ddef2 100644
--- a/shells/ksh93/Makefile
+++ b/shells/ksh93/Makefile
@@ -24,7 +24,7 @@ LICENSE= EPL
OPTIONS_DEFINE= EXAMPLES STATIC
-FETCH_ENV= HTTP_AUTH=basic:*:I\ accept\ www.opensource.org/licenses/cpl:.
+FETCH_ARGS+= --ca-cert="${FILESDIR}/dst_root_ca_x3.crt"
LDFLAGS+= -lm
MAKE_ENV= CCFLAGS="${CFLAGS}"
NO_WRKSUBDIR= yes
diff --git a/shells/ksh93/files/dst_root_ca_x3.crt
b/shells/ksh93/files/dst_root_ca_x3.crt
new file mode 100644
index 0000000..e2bd36f
--- /dev/null
+++ b/shells/ksh93/files/dst_root_ca_x3.crt
@@ -0,0 +1,22 @@
+subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
+issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
https://github.com/saper/ports-exp/commit/7eec5787c09565b0b2dfc4b2cee176c8509474b2
smime.p7s
Description: S/MIME Cryptographic Signature
