Re: deskutils/nextcloudclient Cannot connect securely to
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0) ERR#2
'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
--
Guido Falsi
Re: deskutils/nextcloudclient Cannot connect securely to
On 10/25/21 09:51, Guido Falsi wrote:
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
ERR#2 'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
OpenSSL 1.1.1l-freebsd 24 Aug 2021
I will try to remove the expired cert and see what happens.
The server (v.20.0.13) uses security/ca_root_nss, the client apparently
does not, it does not look in /usr/local/share/certs or /usr/local/etc/ssl
And, Windows and Mac clients does not exhibit this behaviour.
Thanks,
Per
INDEX now builds successfully on 12.x
Re: deskutils/nextcloudclient Cannot connect securely to
On 25/10/21 10:02, Per olof Ljungmark wrote:
On 10/25/21 09:51, Guido Falsi wrote:
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
ERR#2 'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
OpenSSL 1.1.1l-freebsd 24 Aug 2021
I will try to remove the expired cert and see what happens.
The server (v.20.0.13) uses security/ca_root_nss, the client apparently
does not, it does not look in /usr/local/share/certs or /usr/local/etc/ssl
Yes rereading your post looks like the client is using FreeBSD base cert
store.
And, Windows and Mac clients does not exhibit this behaviour.
Windows and mac have a different cert store mechanism AFAIK.
Also my nextcloud server also has a letsencrypt cert and is working
fine, so I'm not sure why yours is causing problems.
--
Guido Falsi
Re: deskutils/nextcloudclient Cannot connect securely to
On 10/25/21 09:51, Guido Falsi wrote:
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
ERR#2 'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
Deleting the link /etc/ssl/certs did the trick it see,s, no more popups
since an hour.
Still wondering why this happens though...
Thanks again,
Per
Re: deskutils/nextcloudclient Cannot connect securely to
On 25/10/21 16:22, Per olof Ljungmark wrote:
On 10/25/21 09:51, Guido Falsi wrote:
On 25/10/21 08:14, Per olof Ljungmark wrote:
FreeBSD 12-STABLE from Oct 15
nextcloudclient 3.3.5
I get popup messages from the client stating "Untrusted Certificate
Cannot connect securely to [server-name]".
Browser access to the server is fine, no errors.
Using truss, it seems it looks for and finds
fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
It also looks for 8d33f237.0, but it does not exist:
fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
ERR#2 'No such file or directory'
How do I convince it to instead look for 4042bcee.0 which is the
ISRG_Root_X1.pem used by Letsencrypt?
Ref:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
What version of openssl are you using? versions before 1.1.0 show this
behavior.
Maybe a possible workaround is to manually remove the expired
certificate from the list of trusted ones.
I guess you are using the ones installed by security/ca_root_nss, in
which case you'll need to modify their list.
Deleting the link /etc/ssl/certs did the trick it see,s, no more popups
since an hour.
Still wondering why this happens though...
Not sure why it happens in your case, since you're using a recent
OpenSSL, but in general it happens because one of letsencrypt root
certificates expired and the default chain still includes it through
cross signing. Newer OpenSSL should be able to cope, so, again, no clue
why it happens in your case.
--
Guido Falsi
Re: deskutils/nextcloudclient Cannot connect securely to
On 10/25/21 7:22 AM, Per olof Ljungmark wrote:
> On 10/25/21 09:51, Guido Falsi wrote:
>> On 25/10/21 08:14, Per olof Ljungmark wrote:
>>> FreeBSD 12-STABLE from Oct 15
>>> nextcloudclient 3.3.5
>>>
>>> I get popup messages from the client stating "Untrusted Certificate
>>> Cannot connect securely to [server-name]".
>>>
>>> Browser access to the server is fine, no errors.
>>>
>>> Using truss, it seems it looks for and finds
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//2e5ac55d.0",{ mode=-r--r--r--
>>> ,inode=192371,size=4665,blksize=5120 },0x0) = 0 (0x0)
>>> open("/etc/ssl/certs//2e5ac55d.0",O_RDONLY,0666) = 106535 (0x1a027)
>>>
>>> But 2e5ac55d.0 (DST_Root_CA_X3.pem) has expired.
>>>
>>> It also looks for 8d33f237.0, but it does not exist:
>>> fstatat(AT_FDCWD,"/etc/ssl/certs//8d33f237.0",0x7fffdf5f70a0,0x0)
>>> ERR#2 'No such file or directory'
>>>
>>> How do I convince it to instead look for 4042bcee.0 which is the
>>> ISRG_Root_X1.pem used by Letsencrypt?
>>
>> Ref:
>> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>>
>> What version of openssl are you using? versions before 1.1.0 show this
>> behavior.
>>
>> Maybe a possible workaround is to manually remove the expired
>> certificate from the list of trusted ones.
>>
>> I guess you are using the ones installed by security/ca_root_nss, in
>> which case you'll need to modify their list.
>>
>
> Deleting the link /etc/ssl/certs did the trick it see,s, no more popups
> since an hour.
>
> Still wondering why this happens though...
>
Someone on the forums had a similar problem and it turned out the
problem was additional Let's Encrypt certificates in the
/usr/local/share/certs directory.
https://forums.FreeBSD.org/threads/dst-root-ca-x3-certificate-has-expired.82364/post-536460
HTH,
Jose
Re: FreeBSD Port: dnscap-2.0.1,1
Hi, On Thu, Oct 21, 2021 at 7:35 PM Ray Bellis wrote: > > The RSSM plugin for dnscap is not dependent on the CBOR libraries, but > in the dnscap pkg-plist its files are prefixed '%%CDS%%', preventing it > from being installed if those libraries are not present on the build > system. > > We are a DNS Root Server operator and would like to use this module for > our RSSAC002 data collection, and would strongly prefer to be able to > use the official FreeBSD port of dnscap. > > It would be very much appreciated if this module were made part of the > standard package. > > [the rzkeychange module is also similarly prefixed, but is not in use] > Thanks for reporting. This should be fixed in 8ab7ac0fedb7d5de3360bcdf3d7c2b4e0cf01350. > > kind regards, > > Ray Bellis > Director of DNS Operations, ISC. >
broken UCL in pkg-message
Hello, I've been working on displaying the pkg-message information on FreshPorts. [1] Part of this involves parsing the file via ucl_tool (textproc/libucl) - along the way I have been finding broken pkg-message files and fixing them. I have created a task[2] for myself to add a sanity check to FreshPorts so committers get instant notification. [3] It might also be useful to have a pre-commit hook cover this. I could use help correctly the broken entries in the ports tree. I do not have time to fix them myself. I can provide starting points: * use this search term on your search engine: site:freshports.org "WARNING: The FreshPorts parser failed. ucl_tool failed. Please report this" * write a small shell script to find broken UCL I think the former is a short list, but will not find everything. The shell script is sort of like this: find /usr/ports -name pkg-message -exec another-script Where that other script does this: /usr/local/bin/ucl_tool --in FILE --format json If [ $? <> 0] ;then #this one needs fixing fi That should find most, but you also want to look for pkg-message.in I started this search through the cache: [aws-1-nginx01 dan ~] % sudo grep -rl 'The FreshPorts parser failed' ~freshports/cache/ports/* devel/kf5-solid devel/kyua games/shockolate net/endlessh net/py-wsdd The output has been modified to show just the category/port name. [1] - https://news.freshports.org/2021/10/14/pkg-message-ucl-type-gives-_pkgmessage_ucl-found-a-type-is-it-not-prepared-for-array/ [2] - https://github.com/FreshPorts/freshports/issues/345 [3] - https://docs.freebsd.org/en/books/porters-handbook/keeping-up/#freshports -- Dan Langille - d...@langille.org https://langille.org/-
