With ca_root_nss version 3.54 the do-install-ETCSYMLINK-on target changed from: ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem to ${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem which creates the following symlink in /usr/local/etc/ssl now: cert.pem@ -> ../../usr/local/share/certs/ca-root-nss.crt which obviously doesn't exist. The ../.. in front should be removed.
(In reply to Jonas Palm from comment #0) sorry, not the update to 3.54 but the update after (revision 542936) caused this
(In reply to Jonas Palm from comment #0) > creates ... symlink ... which obviously doesn't exist. I can't reproduce in 12.1 amd64 jail: all symlinks are valid as of 3.55. $ pkg install ca_root_nss $ head -2 /usr/local/etc/ssl/cert.pem.sample ## ## ca-root-nss.crt -- Bundle of CA Root Certificates $ head -2 /usr/local/openssl/cert.pem.sample ## ## ca-root-nss.crt -- Bundle of CA Root Certificates $ head -2 /etc/ssl/cert.pem ## ## ca-root-nss.crt -- Bundle of CA Root Certificates
Yes, sorry. My assertion about the update was wrong. I somehow saw another ${PREFIX} in the links target. My problem still exists though. If I install the most recent version of ca_root_nss the links target of /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt I can reproduce the following on multiple servers: $ ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem $ head -2 /usr/local/etc/ssl/cert.pem ## ## ca-root-nss.crt -- Bundle of CA Root Certificates $ pkg install -f ca_root_nss Updating jail repository catalogue... jail repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: ca_root_nss-3.55 Number of packages to be reinstalled: 1 Proceed with this action? [Y/n]: [myserver] [1/1] Reinstalling ca_root_nss-3.55... [myserver] [1/1] Extracting ca_root_nss-3.55: 100% cp: /usr/local/etc/ssl/cert.pem: No such file or directory $ ls -l /usr/local/etc/ssl/cert.pem lrwxr-xr-x 1 root wheel 43 28 Juli 15:11 /usr/local/etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt $ head -2 /usr/local/etc/ssl/cert.pem head: /usr/local/etc/ssl/cert.pem: No such file or directory
(In reply to Jonas Palm from comment #3) > If I install the most recent version of ca_root_nss the links target of > /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt Likely caused by ports r542936 which landed after 3.54 but before 3.55 update. A fix maybe to convert ${LN} -sf ../../ to ${RLN}.
# ls -la /etc/local/ssl/cert.pem ls: /etc/local/ssl/cert.pem: No such file or directory # ls -la /usr/local/openssl/cert.pem -rw-r--r-- 1 root wheel 785744 Aug 10 12:22 /usr/local/openssl/cert.pem on a fresh build, so yes, file is missing on 3.55 I did not deep dive into why
same problem here: rm /usr/local/etc/ssl/* make -C /usr/ports/security/ca_root_nss clean deinstall install cat /usr/local/etc/ssl/cert.pem ## ## ca-root-nss.crt -- Bundle With strange perm: -rwxr-xr-x /usr/local/etc/ssl/cert.pem fetch https://github.com Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915: fetch: https://github.com: Authentication error Is it a problem with pkg and sample file (running pkg 1.15.8)? Strangely the official binary package doesn't have the problem: rm /usr/local/etc/ssl/* pkg install -fy security/ca_root_nss cat /usr/local/etc/ssl/cert.pem snip, lots of stuff with correct perm: -rw-r--r-- fetch https://github.com fetch: https://github.com: size of remote file is not known
Created attachment 218514 [details] v1 Seems to be ok if the sample is not a symlink.
(In reply to Mikael Urankar from comment #7) The patch is not needed, it's caused by r550860 (Keywords/sample.ucl) r550860 | manu | 2020-10-01 20:32:29 +0200 (Thu, 01 Oct 2020) | 8 lines Lua version of the @sample The bonus of this version being: sandboxed Natively rootdir compliant. Reviewed by: portmgr (bapt@, mat@) Differential Revision: https://reviews.freebsd.org/D23617 cc'ing manu
A commit references this bug: Author: manu Date: Sun Oct 4 14:14:51 UTC 2020 New revision: 551416 URL: https://svnweb.freebsd.org/changeset/ports/551416 Log: ports-mgmt/pkg: Update to 1.15.9 Changes from 1.15.8 to 1.15.9: - lua_pkg_copy when copying a symlink PR: 248314 Approved by: bapt (implicit) Changes: head/ports-mgmt/pkg/Makefile head/ports-mgmt/pkg/distinfo
A commit references this bug: Author: bapt Date: Mon Oct 12 06:51:55 UTC 2020 New revision: 552099 URL: https://svnweb.freebsd.org/changeset/ports/552099 Log: MFH: r551167 r551211 r551416 r552059 ports-mgmt/pkg: Update to 1.15.7 Changes from 1.15.6 to 1.15.7: - Fix %# expand in script Approved by: bapt (implicit) Update to 1.15.8 Fixes a typo which results in pkg ignoring some lua script in some particular circumpstancies: shell script also available in certain types ports-mgmt/pkg: Update to 1.15.9 Changes from 1.15.8 to 1.15.9: - lua_pkg_copy when copying a symlink PR: 248314 Approved by: bapt (implicit) ports-mgmt/pkg: Update to 1.15.10 Add a workaround for https://bugs.freebsd.org/250271 PR: 250059 Approved by: bapt (implicit) Changes: _U branches/2020Q4/ branches/2020Q4/ports-mgmt/pkg/Makefile branches/2020Q4/ports-mgmt/pkg/distinfo
Could anyone with a deeper understanding of the responsible port mechanics please have another look into this? At the moment I have to fix all my jails manually after each ca_root_nss update (which happens quite often) or the jails won't be able to use TLS.
^Triage: This issue appears to have been resolved in via commits (comment 9 and comment 10) but not closed. However there was a followup after in comment 11 (by Reporter). Assign to last committer accordingly and close. @Reporter (Jonas) If there remains any outstanding issues with respect to your report as originally provided on supported freebsd versions and up to date ports/package trees, please re-open the issue with additional detail. Apologies for the lack of an earlier response.
(In reply to Kubilay Kocak from comment #12) Issue was never fixed. Easiest way to reproduce issue is to symlink the /etc/ssl directory elsewhere: # mkdir -p /test/conf # mv /etc/ssl /test/conf/ # ln -s /test/conf/ssl /etc/ssl Install the port after those changes and try to cat /etc/ssl/cert.pem - the bug will present itself. The core issue is the port incorrectly assumes that the real ssl directory always lives 2 deep from root. The Makefile tries to use relative paths to create symlinks, pointing them to non-existent locations. The Makefile should be using absolute paths to reference its own files. This also affect all symlinks created by this port, not just /etc/ssl/cert.pem.
i will take a look
Currently, /usr/local/openssl/cert.pem is placed by security/ca_root_nss, but isn't it better to do this with security/openssl? openssl of security/openssl tries to use cert in the directory of "/usr/local/bin/openssl version -d" result. So I think security/openssl should have a RUN_DEPENDS=ca_root_nss line. And it also begins to mean that security/openssl can switch to using base root certs instead of ca_root_nss. There was also the following topic https://lists.freebsd.org/archives/freebsd-ports/2023-January/003277.html
I think this is the same bug in a different guise. I had ca_root_nss 3.91 installed up to this morning and just now built and installed 3.93. Things looked fine until deinstalling 3.91, and this happened: [1/1] Deinstalling ca_root_nss-3.91... [1/1] Deleting files for ca_root_nss-3.91: 11% ca_root_nss-3.91: missing file /usr/local/etc/ssl/cert.pem [1/1] Deleting files for ca_root_nss-3.91: 33% ca_root_nss-3.91: missing file /usr/local/openssl/cert.pem [1/1] Deleting files for ca_root_nss-3.91: 100% Is this the problem reported here? Can I ignore this for now? I'm using base openssl from 13.2-RELEASE-p3.