Project

General

Profile

Bug #10729

Certificate verification failed for pkg.freebsd.org

Added by Viktor Gurov 29 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Package System
Target version:
-
Start date:
07/05/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5-p1
Affected Architecture:
SG-1100

Description

https://forum.netgate.com/topic/155037/pkg-add-authentication-error-connecting-to-pkg-freebsd-org-let-s-encrypt-cert:
I'm attempting to install some additional packages on SG-1100 but when I'm tying to use the pkg add command,
I'm getting an "Authentication error" returned due to what looks like a certificate verification issue:

[2.4.5-RELEASE][admin@pfsense]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication error

No such issue on SG-3100:

[2.4.5-RELEASE][root@sg3100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
Fetching snappy-1.1.6.txz: 100%   58 KiB  59.8kB/s    00:01    
Installing snappy-1.1.6...
pkg: wrong architecture: FreeBSD:11:aarch64 instead of FreeBSD:11:armv6
Extracting snappy-1.1.6: 100%

both appliances have the same ca_root_nss-3.51

OpenSSL s_client output:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pkg.freebsd.org
verify return:1
---
Certificate chain
 0 s:/CN=pkg.freebsd.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=pkg.freebsd.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3567 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 3F3AF9F43A0A22D4BE70C62C56907D9BC0D7B506543787F1690A59D258269235
    Session-ID-ctx: 
    Master-Key: 6FABF4232FE6E122C07ED8B1E49D8A466077DD4237E9BFFEDBF740B2204058A2FA05BD163057B02441F99A510B58AB7C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1593929396
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Also available in: Atom PDF