pkg upgrade: Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA

Leave a Comment / General / By

I noticed this on one FreeBSD server today:

$ pkg -vv | grep url
    url: "pkg+http://services.unixathome.org/packages/103amd64-default-master-list/",

I decided: let’s use https, not http, there. After making the change (in my case, it was in /usr/local/etc/pkg/repos/local.conf, I tried upgraded packages, and it barfed:

$ sudo pkg upgrade
Updating local repository catalogue...
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
pkg: https://services.unixathome.org/packages/103amd64-default-master-list//meta.txz: Authentication error
repository local has no meta file, using default settings
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Certificate verification failed for /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
34401225432:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
pkg: https://services.unixathome.org/packages/103amd64-default-master-list//packagesite.txz: Authentication error
Unable to update repository local
All repositories are up-to-date.
pkg: Repository local cannot be opened. 'pkg update' required
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

I tried from another host, with the same inputs. No problem.

The standard test for this is the following command:

$ openssl s_client -connect services.unixathome.org:443
CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 2 IV Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org
   i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKDCCBRCgAwIBAgIQZBTRU34UY0ebGGqEtaiZ4zANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMB4XDTE2MDcyMTE3MjgzNVoXDTE4MDcy
MTE3MjgzNVowejELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEO
MAwGA1UEBwwFTWVkaWExETAPBgNVBAQMCExhbmdpbGxlMQ8wDQYDVQQqDAZEYW5p
ZWwxIDAeBgNVBAMMF3NlcnZpY2VzLnVuaXhhdGhvbWUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthBTyCRupm4JU3sRMemmrKk7O8XjvCSpXKlH
S3PLUIuNQrFEys945LQq/ijsFdiNn50irCPsqrPk764V/3dfNNcm8xrcHLt51k5r
FIn4RfR7aJ0wpd42JMZMGAZIrhXgHTOJ/FV7EeunhxrOT/0UD6lj3PZBl0Wgx+ff
OQS45v42Kxpx7OCpUq2JrGfeOXi51FtW40XlwtJGkDLICFHKF68AQfIIaxFAMCBo
dlocbS6UceqBwrKAo64LwCrJfBhCUYTaN2LKXl1+CMAJRaekceARqpK0SltgPe/c
dVjiFU6knMRrKxzfA/9t/hFmJ/OM71yURDKTCk6KPTHjPAFVkwIDAQABo4ICqjCC
AqYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAJBgNVHRMEAjAAMB0GA1UdDgQWBBQC7nlKSZnoVMq8WFIhoEBKhmmuyTBvBggr
BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv
bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh
LnNlcnZlcjIuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz
c2wuY29tL3NjYS1zZXJ2ZXIyLmNybDAiBgNVHREEGzAZghdzZXJ2aWNlcy51bml4
YXRob21lLm9yZzAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8w
UQYDVR0gBEowSDAIBgZngQwBAgMwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcC
ARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAQIGCisGAQQB1nkC
BAIEgfMEgfAA7gB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB
Vg6tstsAAAQDAEYwRAIgL6wmq6V0Gzd38xPoCyUuaLgpdjMkDD9GOoUIKuk0P8QC
IAjUCxCNTH9Wa3r0noL3fUBDF3rDbpkcsxJ8oLu44A5lAHUAaPaY+B9kgr46jO65
KB1M/HFRXWeT1ETRCmesu09P+8QAAAFWDq2zlgAABAMARjBEAiAI/zJkVggAoYx4
kfoYXcS3bnX/ApwBrocX2MFSw06mCQIgbS9TbS/WVXSUfsHMaNmA94uapahqBASN
qG/7HvIOMUgwDQYJKoZIhvcNAQELBQADggEBAFfGr6VD0aX8evMddM02627+pxb8
My+dcXzlycvWU0AY8Hp8dXz3EY0RrOGbMwYYdnbLSccymtL21290OnsK/QrLBsk1
3/bjpN4pm+IbifW1iyKD62JJkuLD9Ejzj7h6XxFBWCuNdrRTOriz7M7unRi0yLee
nNmhUqNBbipaH0glAndjcbuA+6r631JMDu+J+9lKto/cnM+nqLGGEkYo7dNH9tA8
fJYJiAadJLGQTetuJWVmKBGVnuoYuBvFgP4Q6viR1C06ZFc+bTK+NMKCU3gfQ4Ep
p77YABdFcTGogNj9MxFYpY8K/LjhZuzkD5hNXuhtt9vFlqkakVhJFZJPbUw=
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3771 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B59CC199E5997BF5017908E08B3FC1A2920430F74D61277A5DA29683B0DBFE28
    Session-ID-ctx: 
    Master-Key: 84DB42FD6768C149D91FCCD8A81A265932AE9DF616D1017E6EB2F338AD95530B2F18002C9AF8A04302887F30F82D8066
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6f d2 58 e1 c8 58 6d 6a-28 02 18 3c b4 cb 05 d8   o.X..Xmj(..<....
    0010 - 19 f7 16 02 a4 cf 9c d3-17 a2 17 b9 48 85 0b 16   ............H...
    0020 - b2 be 7f 43 4c 15 98 4f-9f 43 5a 57 7a e6 70 01   ...CL..O.CZWz.p.
    0030 - f7 08 31 4c 80 76 b7 86-5f 6b 72 49 62 1a c9 4b   ..1L.v.._krIb..K
    0040 - d8 37 72 44 90 17 bb 0d-3e ba b4 ea c8 ff f2 2a   .7rD....>......*
    0050 - 71 6f 5e cc f7 34 b9 8b-b6 14 e2 33 b5 85 c5 8c   qo^..4.....3....
    0060 - 0a c6 a7 1e 0f 59 dc 61-51 d5 41 b6 ba 20 9e 31   .....Y.aQ.A.. .1
    0070 - a1 38 95 da 62 0f 6f 63-27 35 27 bd ab 9f 47 d7   .8..b.oc'5'...G.
    0080 - af 4e 82 5e 95 91 06 cc-0a 1a c0 0c fa fe 16 88   .N.^............
    0090 - e8 50 25 4f 1e cc d6 8b-29 ae 38 47 ba 81 e2 3a   .P%O....).8G...:
    00a0 - eb 8e 09 6e 43 9c 15 1f-fb 99 1f f9 9e 02 83 84   ...nC...........

    Start Time: 1475338142
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

I did a bunch of poking around wondering what was different.

Eventually, I thought about the ca_root_nss port. I checked and yes, it was installed on the host which worked but not on the host which did not work.

I reverted the change I had made to /usr/local/etc/pkg/repos/local.conf and ran pkg install ca_root_nss on the problem host, I reran that test command:

$ sudopenssl s_client -connect services.unixathome.org:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 2 IV Server CA
verify return:1
depth=0 C = US, ST = Pennsylvania, L = Media, SN = Langille, GN = Daniel, CN = services.unixathome.org
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org
   i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKDCCBRCgAwIBAgIQZBTRU34UY0ebGGqEtaiZ4zANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
Q29tIENsYXNzIDIgSVYgU2VydmVyIENBMB4XDTE2MDcyMTE3MjgzNVoXDTE4MDcy
MTE3MjgzNVowejELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTEO
MAwGA1UEBwwFTWVkaWExETAPBgNVBAQMCExhbmdpbGxlMQ8wDQYDVQQqDAZEYW5p
ZWwxIDAeBgNVBAMMF3NlcnZpY2VzLnVuaXhhdGhvbWUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthBTyCRupm4JU3sRMemmrKk7O8XjvCSpXKlH
S3PLUIuNQrFEys945LQq/ijsFdiNn50irCPsqrPk764V/3dfNNcm8xrcHLt51k5r
FIn4RfR7aJ0wpd42JMZMGAZIrhXgHTOJ/FV7EeunhxrOT/0UD6lj3PZBl0Wgx+ff
OQS45v42Kxpx7OCpUq2JrGfeOXi51FtW40XlwtJGkDLICFHKF68AQfIIaxFAMCBo
dlocbS6UceqBwrKAo64LwCrJfBhCUYTaN2LKXl1+CMAJRaekceARqpK0SltgPe/c
dVjiFU6knMRrKxzfA/9t/hFmJ/OM71yURDKTCk6KPTHjPAFVkwIDAQABo4ICqjCC
AqYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAJBgNVHRMEAjAAMB0GA1UdDgQWBBQC7nlKSZnoVMq8WFIhoEBKhmmuyTBvBggr
BgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNv
bTA5BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2Nh
LnNlcnZlcjIuY3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRz
c2wuY29tL3NjYS1zZXJ2ZXIyLmNybDAiBgNVHREEGzAZghdzZXJ2aWNlcy51bml4
YXRob21lLm9yZzAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8w
UQYDVR0gBEowSDAIBgZngQwBAgMwPAYLKwYBBAGBtTcBAgUwLTArBggrBgEFBQcC
ARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTCCAQIGCisGAQQB1nkC
BAIEgfMEgfAA7gB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB
Vg6tstsAAAQDAEYwRAIgL6wmq6V0Gzd38xPoCyUuaLgpdjMkDD9GOoUIKuk0P8QC
IAjUCxCNTH9Wa3r0noL3fUBDF3rDbpkcsxJ8oLu44A5lAHUAaPaY+B9kgr46jO65
KB1M/HFRXWeT1ETRCmesu09P+8QAAAFWDq2zlgAABAMARjBEAiAI/zJkVggAoYx4
kfoYXcS3bnX/ApwBrocX2MFSw06mCQIgbS9TbS/WVXSUfsHMaNmA94uapahqBASN
qG/7HvIOMUgwDQYJKoZIhvcNAQELBQADggEBAFfGr6VD0aX8evMddM02627+pxb8
My+dcXzlycvWU0AY8Hp8dXz3EY0RrOGbMwYYdnbLSccymtL21290OnsK/QrLBsk1
3/bjpN4pm+IbifW1iyKD62JJkuLD9Ejzj7h6XxFBWCuNdrRTOriz7M7unRi0yLee
nNmhUqNBbipaH0glAndjcbuA+6r631JMDu+J+9lKto/cnM+nqLGGEkYo7dNH9tA8
fJYJiAadJLGQTetuJWVmKBGVnuoYuBvFgP4Q6viR1C06ZFc+bTK+NMKCU3gfQ4Ep
p77YABdFcTGogNj9MxFYpY8K/LjhZuzkD5hNXuhtt9vFlqkakVhJFZJPbUw=
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Media/SN=Langille/GN=Daniel/CN=services.unixathome.org
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 2 IV Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3771 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 985FE5892BD836A27CAB6BEC1734A23488F4F499A904BD767CE5FCC7BEA006DE
    Session-ID-ctx: 
    Master-Key: 3EAF796828745F16FA26737E72094B806FC89DB21877331C3F81F7B5516340CD18C1DF71B04A080AE29B20E127B40CD6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6f d2 58 e1 c8 58 6d 6a-28 02 18 3c b4 cb 05 d8   o.X..Xmj(..<....
    0010 - 9c 67 81 41 25 49 16 ad-ff 7f 25 7f 7f 3c f8 d1   .g.A%I....%..<..
    0020 - 0a cf d6 4a 80 0f 4c ca-83 da ce c2 8f 2a ab da   ...J..L......*..
    0030 - 65 81 88 dd 4e 52 02 4d-f9 b0 31 fc 66 7b 75 d6   e...NR.M..1.f{u.
    0040 - 58 c6 d0 01 18 34 c4 72-60 16 1d 30 13 44 61 5b   X....4.r`..0.Da[
    0050 - 4b b4 20 1f 41 07 20 48-fd 34 79 94 72 f6 6e 11   K. .A. H.4y.r.n.
    0060 - 0c 26 be 7e cc 7e 56 2e-e0 38 76 b9 b9 e3 81 20   .&.~.~V..8v.... 
    0070 - 44 bf 5a 10 61 75 52 65-31 fd d0 1e 13 a4 91 54   D.Z.auRe1......T
    0080 - e7 c0 3c b9 97 ae ac 31-f9 63 2e fb fb ec 3d 7a   ..<....1.c....=z
    0090 - 44 b8 7e de 93 eb ee 1e-24 92 15 7e bc b3 02 18   D.~.....$..~....
    00a0 - 0a df 59 ca 6d 85 2b a1-f3 df 08 58 63 b7 25 67   ..Y.m.+....Xc.%g

    Start Time: 1475338335
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

With that change, it all just worked as expected. This is because ca_root_nss permits the local system to trust certificate issued by Start SSL.

With that, I was finally able to specify https in /usr/local/etc/pkg/repos/local.conf.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top