Hi Łukasz, Thanks for the instructions. Unfortunately no change behaviour. Look below as what I did so far.
In other computer 1. Download file from https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem?rev=1.24&content-type=text/plain 2. Copy file into usb In OpenBSD 1. power on OpenBSD and login as root 2. Mkdir /tmp/usb 3. Mount /dev/sd1i /tmp/usb 4. rm /etc/ssl/cert.pem /etc/ssl/zzold_cert.pem 5. CP /tmp/usb/cert.pem /etc/ssl/cert.pem 6. File copy was successful after checked by using ls -l /etc/ssl/ 7. chflags uchg /etc/ssl/cert.pem 8. no errors/issues so far. 9. sysupgrade Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/ TLS handshake failure: certificate verification failed: certificate has expired 10. Reboot OpenBSD and try again. Stills getting TLS handshake failure: certificate verification failed: certificate has expired error message. 11. I checked the cert.pem file by using ls -l command. It has wheel group. Not sure if this file supposed to be bin group or doesn't matter? 12. I run a simple test if cert.pem file can be renamed and got error/warning message. rm /etc/ssl/cert.pem /etc/ssl/zcert.pem rm: cert.pem Operation not permitted. Not sure if we missed something? What else to fix? If none, I might use http for version 6.9 upgrade only But I preferred to use https. Also will you able to confirm correct file size for cert.pem is 315,784 bytes. Sorry for asking as there is no hash strings found in https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/ Thanks Jason -----Original Message----- From: Łukasz Moskała [mailto:l...@lukaszmoskala.pl] Sent: Thursday, 3 March 2022 7:31 PM To: Jason F; misc@openbsd.org Subject: Re: Unable to system upgrade Hi Jason, Please keep responses on mailing list. The expired CA cert is in /etc/ssl/cert.pem I'll copy this from another thread that was on misc@ a while ago: https://www.mail-archive.com/misc@openbsd.org/msg181131.html > The solution for you is to edit /etc/ssl/cert.pem and delete > "/O=Digital Signature Trust Co./CN=DST Root CA X3" from the file. > Or you could also simply download the latest version of /etc/ssl/cert.pem > from another machine: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem?rev=1.24&content-type=text/plain > And install it as /etc/ssl/cert.pem. Although, I would suggest to > make immutable with "chflags uchg cert.pem". Most likely the problem will go away after update, as cert.pem should get updated with system. Alternatively, since sysupgrade verifies downloaded files, it should be safe to switch to http instead of https. But I'd recommend trying to fix https problem first. Regards, -- Łukasz Moskała Dnia Thu, Mar 03, 2022 at 03:46:12PM +1100, Jason F napisał(a): > Hi Łukasz, > > Thank you for your reply. > > I have corrected the system date and time. Have got different issue after > executing the sysupgrade command > > Sysupgrade > Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.90/amd64 > TLS handshake failure: certificate verification failed: certificate has > expired. > I rebooted and try again. Same conclusion as above. In what steps to resolve > this issue? Delete the expired certificate in what file location or do > something else? > > Thanks, > Jason > > > -----Original Message----- > From: Łukasz Moskała [mailto:l...@lukaszmoskala.pl] > Sent: Thursday, 3 March 2022 7:49 AM > To: Jason F; misc@openbsd.org > Subject: Re: Unable to system upgrade > > W dniu 2.03.2022 o 11:01, Jason F pisze: > > Hi OpenBSD support, > > > > > > > > I am new user and learning to use OpenBSD. I am unable to determine how to > > resolve the below issue. Unable to find information in internet. I am > > hoping for some assistance from experienced users or someone have resolved > > the similar issue. > > > > > > > > My NUC box is running OpenBSD 6.8 in amd64. I am upgrading from 6.8 to 6.9 > > then 7.0. Not sure if this can do from 6.8 to 7.0? > > > > > > > > sysupgrade -r > > > > Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64 > > > > TLS handshake failure: ocsp verify failed: ocsp response not current > > > > > > > > I am not sure how to resolve this issue. I changed install URL to try at > > different site in /etc/installurl file from > > https://cdn.openbsd.org/pub/OpenBSD to > > https://mirror.aarnet.edu.au/pub/OpenBSD > > > > > > > > sysupgrade -r > > > > Fetching from https://mirror.aarnet.edu.au/pub/OpenBSD/ /6.9/amd64/ > > > > Invalid signing key > > > > > > > > When i rerun with https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64 > > > > sysupgrade -r > > > > SHA256.sig 100% |**** etc. 2144 00:00 > > > > Signature Verified > > > > TLS handshake failure: ocsp verify failed: ocsp response not current > > > > > > > > > > > > Happy to consult > > > > > > > > Thanks > > > > > > > > Jason > > > > > > > Hello, > > > TLS handshake failure: ocsp verify failed: ocsp response not current > > This would indicate that system time is invalid. > > Regards, > -- > Łukasz Moskała >
