Bug 222109

Summary: sysutils/vm-bhyve: should depend on security/ca_root_nss
Product: Ports & Packages Reporter: Alan Somers <asomers>
Component: Individual Port(s)Assignee: Alan Somers <asomers>
Status: Closed FIXED    
Severity: Affects Many People CC: churchers, ports-secteam
Priority: --- Flags: asomers: maintainer-feedback? (churchers)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Add ca_root_nss as a RUN_DEPENDS for vm-bhyve asomers: maintainer-approval?

Description Alan Somers freebsd_committer freebsd_triage 2017-09-06 19:00:29 UTC 
"vm iso" uses fetch(1) to download iso files.  A major source of iso files is download.freebsd.org.  If no other source of certificates has been installed, fetch will use OpenSSL's default CA cert and path settings, but those don't recognize the Let's Encrypt certificate used by download.freebsd.org.  The result is an error like this one:

$ sudo vm iso https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34374362520:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso: Authentication error

Installing security/ca_root_nss provides an alternative bundle of root certificates, which do trust download.freebsd.org.  Since download.freebsd.org is so critically important to most vm-bhyve users, security/ca_root_nss should be a RUN_DEPENDS.
Comment 1 Alan Somers freebsd_committer freebsd_triage 2017-09-06 19:05:28 UTC 
Created attachment 186124 [details]
Add ca_root_nss as a RUN_DEPENDS for vm-bhyve
Comment 2 Alan Somers freebsd_committer freebsd_triage 2017-09-15 17:15:09 UTC 
Churchers, do you agree with adding this dependency?
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-01-30 16:21:14 UTC 
A commit references this bug:

Author: asomers
Date: Tue Jan 30 16:20:41 UTC 2018
New revision: 460414
URL: https://svnweb.freebsd.org/changeset/ports/460414

Log:
  sysutils/vm-bhyve: add security/ca_root_nss as a RUN_DEPENDS

  "vm iso" uses fetch(1) to download iso files.  A major source of iso files
  is download.freebsd.org.  If no other source of certificates has been
  installed, fetch will use OpenSSL's default CA cert and path settings, but
  those don't recognize the Let's Encrypt certificate used by
  download.freebsd.org.

  Installing security/ca_root_nss provides an alternative bundle of root
  certificates, which do trust download.freebsd.org.  Since
  download.freebsd.org is so critically important to most vm-bhyve users,
  security/ca_root_nss should be a RUN_DEPENDS.

  PR:		222109
  Approved by:	churchers@gmail.com (maintainer timeout)
  Sponsored by:	Spectra Logic Corp

Changes:
  head/sysutils/vm-bhyve/Makefile