On Thu, Feb 03, 2022 at 12:31:42PM +0530, Yogendra Kumar Chaudhary wrote: > Thanks for this information. > I found on my machine that cert.pm expired on 30 May 2020. I can not switch > to the new o OpenBSD version immediately due to other technical > dependencies. Can you please suggest what should I do to resolve this issue?
Hope you found the easy answer since your question is 18 days old. 1. OpenBSD 6.2 is out of support. Packages from older releases are removed from the default websites that pkg_add uses. You would need to use one of the mirror site that do keep older release, like: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/6.2/packages/amd64 (or /i386 at the end) See manual for pkg_add. 2. Connecting to "https://ftp.openbsd.org/pub/OpenBSD/"; or "https://www.openbsd.org/"; on older release: Both web site INSIST on including the intermediary certificate: 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 by their http web server (they have the same certificate provider). This force you to check against the "/O=Digital Signature Trust Co./CN=DST Root CA X3" certificate in /etc/ssl/cert.pem. Which expired in September 2021. Both web site SHOULD stop offering that certificate as intermediary. And simply stop at: 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 Because "subject:C=US/O=Internet Security Research Group/CN=ISRG Root X1" is already a valid CA installed everywhere. The solution for you is to edit /etc/ssl/cert.pem and delete "/O=Digital Signature Trust Co./CN=DST Root CA X3" from the file. This should force the application to check against "/C=US/O=Internet Security Research Group/CN=ISRG Root X1" which is already in cert.pem included in 6.2. (Although I didn't test on 6.2 only 6.5.) Or you could also simply download the latest version of /etc/ssl/cert.pem from another machine: https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem?rev=1.24&content-type=text/plain And install it as /etc/ssl/cert.pem. Although, I would suggest to make immutable with "chflags uchg cert.pem". Good luck. But you might have to debug and test these tips. 6.2 is old and I don't run it. > > On Thu, Feb 3, 2022 at 8:05 AM Philip Guenther <guent...@gmail.com> wrote: > > > On Wed, Feb 2, 2022 at 6:26 PM Yogendra Kumar Chaudhary < > > yogi9...@gmail.com> wrote: > > > >> I am facing the following error while using pkg_add on OpenBSD 6.2. > >> > > > > 6.2? A four year old release which has been out of support for three > > years? > > > > You should download the 7.0 ISO and do a fresh install. And then read the > > FAQ about upgrades so that you can keep your system up to date after > > installing. > > > > > > Philip Guenther > > > > > > -- > Thanks and Regards > Yogendra Kumar > National Institute of Technology, > Karnataka
