On 2024-07-04 01:27:03 (+0800), Mark Millard wrote:
Bootstrapping pkg from
pkg+https://pkg.FreeBSD.org/FreeBSD:14:aarch64/quarterly, please
wait...
Certificate verification failed for /CN=pkg.freebsd.org
0020616CE1680000:error:0A000086:SSL
routines:tls_post_process_server_certificate:certificate verify
failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
As far as I can tell, at the time of this writing, all fifteen
pkg.freebsd.org sites have the same certificate, and OpenSSL is happy
with it.
Note the "pkg+https://";.
I had separate problems yesterday that I side stepped by
testing use of just "pkg+http://";, which worked. See:
Use pkg+http. This is the default. Packages are signed. Transport
layer security does not provide any additional security. (Anticipating
the usual argument: it doesn't provide privacy either - packages are
trivially fingerprinted by file size.)
pkg with -d for the https context had its debug output
reporting:
* SSL certificate problem: certificate is not yet valid
Does the system being bootstrapped have a real-time clock? Common
causes for this error are clocks set to 1970-01-01 or 2000-01-01.
It happened to be using 204.15.11.66:443 for the https activity.
For what it's worth: 204.15.11.66 = pkg0.tuk.freebsd.org.
r...@pkg0.tuk:~ # openssl x509 -noout -in
/etc/clusteradm/acme-certs/pkg.freebsd.org.crt -dates
notBefore=Jun 1 20:26:18 2024 GMT
notAfter=Aug 30 20:26:17 2024 GMT
Philip
