NetBSD Problem Report #55125

From gson@gson.org  Mon Mar 30 08:44:38 2020
Return-Path: <gson@gson.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 657B51A9213
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 30 Mar 2020 08:44:38 +0000 (UTC)
Message-Id: <20200330084422.D6655253F03@guava.gson.org>
Date: Mon, 30 Mar 2020 11:44:22 +0300 (EEST)
From: gson@gson.org (Andreas Gustafsson)
Reply-To: gson@gson.org (Andreas Gustafsson)
To: gnats-bugs@NetBSD.org
Subject: "mozilla-rootcerts install" fails the second time
X-Send-Pr-Version: 3.95

>Number:         55125
>Category:       pkg
>Synopsis:       "mozilla-rootcerts install" fails the second time
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 30 08:45:00 +0000 2020
>Last-Modified:  Mon Mar 30 09:50:01 +0000 2020
>Originator:     Andreas Gustafsson
>Release:        NetBSD 8.1
>Organization:

>Environment:
System: NetBSD
Architecture: x86_64
Machine: amd64
>Description:

When I run "mozilla-rootcerts install" as instructed by "pkg_info -D
mozilla-rootcerts", I get the error message

  ERROR: /etc/openssl/certs already contains certificates, aborting.

Presumably this is because I have already run "mozilla-rootcerts
install" once, back in 2016 judging from the timestamps of the files
in /etc/openssl/certs.  Since these four year old certificates no
longer work and there is no documented way of updating them, I'm
sometimes forced to disable certificate checking, for example when
downloading files over HTTPS using wget.  This is obviously bad
for security.

This issue was discussed on pkgsrc-users in 2018:

  https://mail-index.netbsd.org/pkgsrc-users/2018/04/13/msg026493.html

but apparently never resolved as the discussion was sidetracked into a
bikeshed about whether you should need to run "mozilla-rootcerts
install" in the first place.  Since that's orthogonal to the issue
at hand, please keep that discussion out of this PR.

>How-To-Repeat:

Install the mozilla-rootcerts package and run "mozilla-rootcerts install"
twice.

>Fix:

>Audit-Trail:
From: Benny Siegert <bsiegert@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/55125: "mozilla-rootcerts install" fails the second time
Date: Mon, 30 Mar 2020 10:47:33 +0200

 On Mon, Mar 30, 2020 at 10:45 AM Andreas Gustafsson <gson@gson.org> wrote:
 > When I run "mozilla-rootcerts install" as instructed by "pkg_info -D
 > mozilla-rootcerts", I get the error message
 >
 >   ERROR: /etc/openssl/certs already contains certificates, aborting.
 > >Fix:

 What would you like the fix to be? Should it delete existing
 certificates from /etc/openssl/certs and replace them with the ones it
 is installing? Or should there be some kind of "force" option to do
 that?

 -- 
 Benny

From: Andreas Gustafsson <gson@gson.org>
To: Benny Siegert <bsiegert@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: pkg/55125: "mozilla-rootcerts install" fails the second time
Date: Mon, 30 Mar 2020 12:49:42 +0300

 Benny Siegert wrote:
 >  What would you like the fix to be? Should it delete existing
 >  certificates from /etc/openssl/certs and replace them with the ones it
 >  is installing? Or should there be some kind of "force" option to do
 >  that?

 I just want there to be a documented procedure that I can follow to
 make "wget https://google.com/" work like it does on other operating
 systems, instead of yielding

   $ wget https://google.com/
   --2020-03-30 12:29:19--  https://google.com/
   Resolving google.com (google.com)... 2a00:1450:400f:80a::200e, 172.217.21.174
   Connecting to google.com (google.com)|2a00:1450:400f:80a::200e|:443... failed: No route to host.
   Connecting to google.com (google.com)|172.217.21.174|:443... connected.
   ERROR: cannot verify google.com's certificate, issued by 'CN=GTS CA 1O1,O=Google Trust Services,C=US':
     Unable to locally verify the issuer's authority.
   To connect to google.com insecurely, use `--no-check-certificate'.

 When it comes to OpenSSL, I'm just an end user, and I have no idea
 whether, for example, "deleting existing certificates from
 /etc/openssl/certs" is the right thing to do.  I just follow the
 instructions, and currently the instructions don't work.
 -- 
 Andreas Gustafsson, gson@gson.org

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.