|Summary:||[patch] Certificate validation error in ntpd leap file / ietf.org chain|
|Product:||Base System||Reporter:||Jeff Schmidt <jas>|
|Component:||conf||Assignee:||freebsd-bugs mailing list <bugs>|
|Severity:||Affects Many People||CC:||jdc, pi, rc|
Description Jeff Schmidt 2018-05-30 23:19:14 UTC
$ uname -a FreeBSD 11.2-BETA3 FreeBSD 11.2-BETA3 #0 r334196: Fri May 25 05:07:41 UTC 2018 firstname.lastname@example.org:/usr/obj/usr/src/sys/GENERIC i386 $ service ntpd onefetch Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 673056224:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error $ fetch https://www.ietf.org/timezones/data/leap-seconds.list Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 673056224:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error
Comment 1 Jeff Schmidt 2018-05-31 19:41:56 UTC
I believe this is a result of no CA root store being installed by default. Which I'm sure was a hotly debated topic and has been decided upon for noble reasons. However, that decision causes ntpd, which *is* installed by default, to not grab the leap file because ietf.org is https. The easy fix is to change the script to: fetch --no-verify-peer https://www.ietf.org/timezones/data/leap-seconds.list Not the most elegant, but the only option if root certs will not be available for a default package.
Comment 2 Jeff Schmidt 2018-05-31 20:01:31 UTC
Suggest this patch: $ diff -u rc.conf.orig rc.conf --- rc.conf.orig 2018-05-31 19:56:39.243329000 +0000 +++ rc.conf 2018-05-31 19:57:39.598165000 +0000 @@ -4,5 +4,7 @@ ifconfig_re0="DHCP" sshd_enable="YES" ntpd_enable="YES" +# Allow default ntpd install to download leap file over SSL with no root cas installed +ntp_leapfile_fetch_opts="--no-verify-peer" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO"
Comment 3 Jeremy Chadwick 2018-08-29 18:24:33 UTC
I haven't seen this error myself and I bet many users haven't as well. My theory is that this is because we happen to have ca_root_nss installed via pkg (a.k.a. security/ca_root_nss in ports). This is a common dependency in many different packages. ca_root_nss package is responsible for creating /usr/local/etc/ssl/cert.pem, which base system OpenSSL (libssl.so.8) reads/honours. You can verify this with truss. pkg info -l ca_root_nss will not show this file in its packaging list because of how ca_root_nss works. Some part of the pkg/port creates a hard link of /usr/local/etc/ssl/cert.pem --> /usr/local/share/certs/ca-root-nss.crt, of which the latter *is* in the package list. The pkg-message says it uses a symlink but this is false; see PR 228550 for details. This is really part of a bigger problem that is the whole "base system" concept, but I don't want to get off-topic. The --no-verify-peer kludge should be acceptable, though I would strongly suggest asking secteam@ first.