I noticed this on one FreeBSD server today:
$ pkg -vv | grep url url: "pkg+http://services.unixathome.org/packages/103amd64-default-master-list/",
I decided: let’s use https, not http, there. After making the change (in my case, it was in /usr/local/etc/pkg/repos/local.conf, I tried upgraded packages, and it barfed:
$ sudo pkg upgrade Updating local repository catalogue... Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: pkg: https://services.unixathome.org/packages/103amd64-default-master-list//meta.txz: Authentication error repository local has no meta file, using default settings Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191: pkg: https://services.unixathome.org/packages/103amd64-default-master-list//packagesite.txz: Authentication error Unable to update repository local All repositories are up-to-date. pkg: Repository local cannot be opened. 'pkg update' required Checking for upgrades (0 candidates): 100% Processing candidates (0 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date.
I tried from another host, with the same inputs. No problem.
The standard test for this is the following command:
$ openssl s_client -connect services.unixathome.org:443 CONNECTED(00000003) depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 2 IV Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGKDCCBRCgAwIBAgIQZBTRU34UY0ebGGqEtaiZ4zANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0 Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMB4XDTE2MDcyMTE3MjgzNVoXDTE4MDcy MTE3MjgzNVowejELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEO MAwGA1UEBwwFTWVkaWExETAPBgNVBAQMCExhbmdpbGxlMQ8wDQYDVQQqDAZEYW5p ZWwxIDAeBgNVBAMMF3NlcnZpY2VzLnVuaXhhdGhvbWUub3JnMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthBTyCRupm4JU3sRMemmrKk7O8XjvCSpXKlH S3PLUIuNQrFEys945LQq/ijsFdiNn50irCPsqrPk764V/3dfNNcm8xrcHLt51k5r FIn4RfR7aJ0wpd42JMZMGAZIrhXgHTOJ/FV7EeunhxrOT/0UD6lj3PZBl0Wgx+ff OQS45v42Kxpx7OCpUq2JrGfeOXi51FtW40XlwtJGkDLICFHKF68AQfIIaxFAMCBo dlocbS6UceqBwrKAo64LwCrJfBhCUYTaN2LKXl1+CMAJRaekceARqpK0SltgPe/c dVjiFU6knMRrKxzfA/9t/hFmJ/OM71yURDKTCk6KPTHjPAFVkwIDAQABo4ICqjCC AqYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD ATAJBgNVHRMEAjAAMB0GA1UdDgQWBBQC7nlKSZnoVMq8WFIhoEBKhmmuyTBvBggr BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh LnNlcnZlcjIuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL3NjYS1zZXJ2ZXIyLmNybDAiBgNVHREEGzAZghdzZXJ2aWNlcy51bml4 YXRob21lLm9yZzAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8w UQYDVR0gBEowSDAIBgZngQwBAgMwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcC ARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAQIGCisGAQQB1nkC BAIEgfMEgfAA7gB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB Vg6tstsAAAQDAEYwRAIgL6wmq6V0Gzd38xPoCyUuaLgpdjMkDD9GOoUIKuk0P8QC IAjUCxCNTH9Wa3r0noL3fUBDF3rDbpkcsxJ8oLu44A5lAHUAaPaY+B9kgr46jO65 KB1M/HFRXWeT1ETRCmesu09P+8QAAAFWDq2zlgAABAMARjBEAiAI/zJkVggAoYx4 kfoYXcS3bnX/ApwBrocX2MFSw06mCQIgbS9TbS/WVXSUfsHMaNmA94uapahqBASN qG/7HvIOMUgwDQYJKoZIhvcNAQELBQADggEBAFfGr6VD0aX8evMddM02627+pxb8 My+dcXzlycvWU0AY8Hp8dXz3EY0RrOGbMwYYdnbLSccymtL21290OnsK/QrLBsk1 3/bjpN4pm+IbifW1iyKD62JJkuLD9Ejzj7h6XxFBWCuNdrRTOriz7M7unRi0yLee nNmhUqNBbipaH0glAndjcbuA+6r631JMDu+J+9lKto/cnM+nqLGGEkYo7dNH9tA8 fJYJiAadJLGQTetuJWVmKBGVnuoYuBvFgP4Q6viR1C06ZFc+bTK+NMKCU3gfQ4Ep p77YABdFcTGogNj9MxFYpY8K/LjhZuzkD5hNXuhtt9vFlqkakVhJFZJPbUw= -----END CERTIFICATE----- subject=/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA --- No client certificate CA names sent --- SSL handshake has read 3771 bytes and written 417 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B59CC199E5997BF5017908E08B3FC1A2920430F74D61277A5DA29683B0DBFE28 Session-ID-ctx: Master-Key: 84DB42FD6768C149D91FCCD8A81A265932AE9DF616D1017E6EB2F338AD95530B2F18002C9AF8A04302887F30F82D8066 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 6f d2 58 e1 c8 58 6d 6a-28 02 18 3c b4 cb 05 d8 o.X..Xmj(..<.... 0010 - 19 f7 16 02 a4 cf 9c d3-17 a2 17 b9 48 85 0b 16 ............H... 0020 - b2 be 7f 43 4c 15 98 4f-9f 43 5a 57 7a e6 70 01 ...CL..O.CZWz.p. 0030 - f7 08 31 4c 80 76 b7 86-5f 6b 72 49 62 1a c9 4b ..1L.v.._krIb..K 0040 - d8 37 72 44 90 17 bb 0d-3e ba b4 ea c8 ff f2 2a .7rD....>......* 0050 - 71 6f 5e cc f7 34 b9 8b-b6 14 e2 33 b5 85 c5 8c qo^..4.....3.... 0060 - 0a c6 a7 1e 0f 59 dc 61-51 d5 41 b6 ba 20 9e 31 .....Y.aQ.A.. .1 0070 - a1 38 95 da 62 0f 6f 63-27 35 27 bd ab 9f 47 d7 .8..b.oc'5'...G. 0080 - af 4e 82 5e 95 91 06 cc-0a 1a c0 0c fa fe 16 88 .N.^............ 0090 - e8 50 25 4f 1e cc d6 8b-29 ae 38 47 ba 81 e2 3a .P%O....).8G...: 00a0 - eb 8e 09 6e 43 9c 15 1f-fb 99 1f f9 9e 02 83 84 ...nC........... Start Time: 1475338142 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
I did a bunch of poking around wondering what was different.
Eventually, I thought about the ca_root_nss port. I checked and yes, it was installed on the host which worked but not on the host which did not work.
I reverted the change I had made to /usr/local/etc/pkg/repos/local.conf and ran pkg install ca_root_nss on the problem host, I reran that test command:
$ sudopenssl s_client -connect services.unixathome.org:443 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 2 IV Server CA verify return:1 depth=0 C = US, ST = Pennsylvania, L = Media, SN = Langille, GN = Daniel, CN = services.unixathome.org verify return:1 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGKDCCBRCgAwIBAgIQZBTRU34UY0ebGGqEtaiZ4zANBgkqhkiG9w0BAQsFADB4 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0 Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMB4XDTE2MDcyMTE3MjgzNVoXDTE4MDcy MTE3MjgzNVowejELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEO MAwGA1UEBwwFTWVkaWExETAPBgNVBAQMCExhbmdpbGxlMQ8wDQYDVQQqDAZEYW5p ZWwxIDAeBgNVBAMMF3NlcnZpY2VzLnVuaXhhdGhvbWUub3JnMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthBTyCRupm4JU3sRMemmrKk7O8XjvCSpXKlH S3PLUIuNQrFEys945LQq/ijsFdiNn50irCPsqrPk764V/3dfNNcm8xrcHLt51k5r FIn4RfR7aJ0wpd42JMZMGAZIrhXgHTOJ/FV7EeunhxrOT/0UD6lj3PZBl0Wgx+ff OQS45v42Kxpx7OCpUq2JrGfeOXi51FtW40XlwtJGkDLICFHKF68AQfIIaxFAMCBo dlocbS6UceqBwrKAo64LwCrJfBhCUYTaN2LKXl1+CMAJRaekceARqpK0SltgPe/c dVjiFU6knMRrKxzfA/9t/hFmJ/OM71yURDKTCk6KPTHjPAFVkwIDAQABo4ICqjCC AqYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD ATAJBgNVHRMEAjAAMB0GA1UdDgQWBBQC7nlKSZnoVMq8WFIhoEBKhmmuyTBvBggr BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh LnNlcnZlcjIuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL3NjYS1zZXJ2ZXIyLmNybDAiBgNVHREEGzAZghdzZXJ2aWNlcy51bml4 YXRob21lLm9yZzAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8w UQYDVR0gBEowSDAIBgZngQwBAgMwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcC ARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAQIGCisGAQQB1nkC BAIEgfMEgfAA7gB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB Vg6tstsAAAQDAEYwRAIgL6wmq6V0Gzd38xPoCyUuaLgpdjMkDD9GOoUIKuk0P8QC IAjUCxCNTH9Wa3r0noL3fUBDF3rDbpkcsxJ8oLu44A5lAHUAaPaY+B9kgr46jO65 KB1M/HFRXWeT1ETRCmesu09P+8QAAAFWDq2zlgAABAMARjBEAiAI/zJkVggAoYx4 kfoYXcS3bnX/ApwBrocX2MFSw06mCQIgbS9TbS/WVXSUfsHMaNmA94uapahqBASN qG/7HvIOMUgwDQYJKoZIhvcNAQELBQADggEBAFfGr6VD0aX8evMddM02627+pxb8 My+dcXzlycvWU0AY8Hp8dXz3EY0RrOGbMwYYdnbLSccymtL21290OnsK/QrLBsk1 3/bjpN4pm+IbifW1iyKD62JJkuLD9Ejzj7h6XxFBWCuNdrRTOriz7M7unRi0yLee nNmhUqNBbipaH0glAndjcbuA+6r631JMDu+J+9lKto/cnM+nqLGGEkYo7dNH9tA8 fJYJiAadJLGQTetuJWVmKBGVnuoYuBvFgP4Q6viR1C06ZFc+bTK+NMKCU3gfQ4Ep p77YABdFcTGogNj9MxFYpY8K/LjhZuzkD5hNXuhtt9vFlqkakVhJFZJPbUw= -----END CERTIFICATE----- subject=/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA --- No client certificate CA names sent --- SSL handshake has read 3771 bytes and written 417 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 985FE5892BD836A27CAB6BEC1734A23488F4F499A904BD767CE5FCC7BEA006DE Session-ID-ctx: Master-Key: 3EAF796828745F16FA26737E72094B806FC89DB21877331C3F81F7B5516340CD18C1DF71B04A080AE29B20E127B40CD6 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 6f d2 58 e1 c8 58 6d 6a-28 02 18 3c b4 cb 05 d8 o.X..Xmj(..<.... 0010 - 9c 67 81 41 25 49 16 ad-ff 7f 25 7f 7f 3c f8 d1 .g.A%I....%..<.. 0020 - 0a cf d6 4a 80 0f 4c ca-83 da ce c2 8f 2a ab da ...J..L......*.. 0030 - 65 81 88 dd 4e 52 02 4d-f9 b0 31 fc 66 7b 75 d6 e...NR.M..1.f{u. 0040 - 58 c6 d0 01 18 34 c4 72-60 16 1d 30 13 44 61 5b X....4.r`..0.Da[ 0050 - 4b b4 20 1f 41 07 20 48-fd 34 79 94 72 f6 6e 11 K. .A. H.4y.r.n. 0060 - 0c 26 be 7e cc 7e 56 2e-e0 38 76 b9 b9 e3 81 20 .&.~.~V..8v.... 0070 - 44 bf 5a 10 61 75 52 65-31 fd d0 1e 13 a4 91 54 D.Z.auRe1......T 0080 - e7 c0 3c b9 97 ae ac 31-f9 63 2e fb fb ec 3d 7a ..<....1.c....=z 0090 - 44 b8 7e de 93 eb ee 1e-24 92 15 7e bc b3 02 18 D.~.....$..~.... 00a0 - 0a df 59 ca 6d 85 2b a1-f3 df 08 58 63 b7 25 67 ..Y.m.+....Xc.%g Start Time: 1475338335 Timeout : 300 (sec) Verify return code: 0 (ok) ---
With that change, it all just worked as expected. This is because ca_root_nss permits the local system to trust certificate issued by Start SSL.
With that, I was finally able to specify https in /usr/local/etc/pkg/repos/local.conf.