NetBSD Problem Report #55125
From gson@gson.org Mon Mar 30 08:44:38 2020
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 657B51A9213
for <gnats-bugs@gnats.NetBSD.org>; Mon, 30 Mar 2020 08:44:38 +0000 (UTC)
Message-Id: <20200330084422.D6655253F03@guava.gson.org>
Date: Mon, 30 Mar 2020 11:44:22 +0300 (EEST)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: "mozilla-rootcerts install" fails the second time
X-Send-Pr-Version: 3.95
>Number: 55125
>Category: pkg
>Synopsis: "mozilla-rootcerts install" fails the second time
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 30 08:45:00 +0000 2020
>Closed-Date: Sat Jul 10 22:15:03 +0000 2021
>Last-Modified: Sat Jul 10 22:15:03 +0000 2021
>Originator: Andreas Gustafsson
>Release: NetBSD 8.1
>Organization:
>Environment:
System: NetBSD
Architecture: x86_64
Machine: amd64
>Description:
When I run "mozilla-rootcerts install" as instructed by "pkg_info -D
mozilla-rootcerts", I get the error message
ERROR: /etc/openssl/certs already contains certificates, aborting.
Presumably this is because I have already run "mozilla-rootcerts
install" once, back in 2016 judging from the timestamps of the files
in /etc/openssl/certs. Since these four year old certificates no
longer work and there is no documented way of updating them, I'm
sometimes forced to disable certificate checking, for example when
downloading files over HTTPS using wget. This is obviously bad
for security.
This issue was discussed on pkgsrc-users in 2018:
https://mail-index.netbsd.org/pkgsrc-users/2018/04/13/msg026493.html
but apparently never resolved as the discussion was sidetracked into a
bikeshed about whether you should need to run "mozilla-rootcerts
install" in the first place. Since that's orthogonal to the issue
at hand, please keep that discussion out of this PR.
>How-To-Repeat:
Install the mozilla-rootcerts package and run "mozilla-rootcerts install"
twice.
>Fix:
>Release-Note:
>Audit-Trail:
From: Benny Siegert <bsiegert@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/55125: "mozilla-rootcerts install" fails the second time
Date: Mon, 30 Mar 2020 10:47:33 +0200
On Mon, Mar 30, 2020 at 10:45 AM Andreas Gustafsson <gson@gson.org> wrote:
> When I run "mozilla-rootcerts install" as instructed by "pkg_info -D
> mozilla-rootcerts", I get the error message
>
> ERROR: /etc/openssl/certs already contains certificates, aborting.
> >Fix:
What would you like the fix to be? Should it delete existing
certificates from /etc/openssl/certs and replace them with the ones it
is installing? Or should there be some kind of "force" option to do
that?
--
Benny
From: Andreas Gustafsson <gson@gson.org>
To: Benny Siegert <bsiegert@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: pkg/55125: "mozilla-rootcerts install" fails the second time
Date: Mon, 30 Mar 2020 12:49:42 +0300
Benny Siegert wrote:
> What would you like the fix to be? Should it delete existing
> certificates from /etc/openssl/certs and replace them with the ones it
> is installing? Or should there be some kind of "force" option to do
> that?
I just want there to be a documented procedure that I can follow to
make "wget https://google.com/" work like it does on other operating
systems, instead of yielding
$ wget https://google.com/
--2020-03-30 12:29:19-- https://google.com/
Resolving google.com (google.com)... 2a00:1450:400f:80a::200e, 172.217.21.174
Connecting to google.com (google.com)|2a00:1450:400f:80a::200e|:443... failed: No route to host.
Connecting to google.com (google.com)|172.217.21.174|:443... connected.
ERROR: cannot verify google.com's certificate, issued by 'CN=GTS CA 1O1,O=Google Trust Services,C=US':
Unable to locally verify the issuer's authority.
To connect to google.com insecurely, use `--no-check-certificate'.
When it comes to OpenSSL, I'm just an end user, and I have no idea
whether, for example, "deleting existing certificates from
/etc/openssl/certs" is the right thing to do. I just follow the
instructions, and currently the instructions don't work.
--
Andreas Gustafsson, gson@gson.org
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 10 Jul 2021 22:15:03 +0000
State-Changed-Why:
There is a documented procedure, it's "install mozilla-rootcerts-openssl".
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.