221538 – ftp/linux-c7-curl: curl: (77) Problem with the SSL CA cert (path? access rights?)

Bug 221538 - ftp/linux-c7-curl: curl: (77) Problem with the SSL CA cert (path? access rights?)

Summary: ftp/linux-c7-curl: curl: (77) Problem with the SSL CA cert (path? access righ...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-emulation (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-15 06:44 UTC by David Naylor
Modified:	2018-12-11 07:29 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (emulation)

Attachments
linux-c7-ca-certificates (and dependencies): 0.1.0 (4.95 KB, text/plain) 2017-08-17 06:19 UTC, David Naylor	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Naylor freebsd_committer

2017-08-15 06:44:11 UTC

A default installation of the linux version of curl:

# make -C /usr/ports/ftp/linux-c7-curl install
or
# make pkg install linux-c6-curl
is not able to validate certificates:

# /compat/linux/usr/bin/curl -Iv https://www.google.com
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.223.4...
* Connected to www.google.com (216.58.223.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unable to initialize NSS database
* Initializing NSS with certpath: none
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

while the FreeBSD version is capable of validating certificates.  

This impacts me as I am trying to port the CentOS 7 version of .NET Core, which uses libcurl, and it is unable to fetch packages due to unvalidated certificates.

Comment 1 Tijl Coosemans freebsd_committer

2017-08-15 14:32:31 UTC

Try creating the following symbolic links:

ln -s nss/libnssckbi.so /compat/linux/usr/lib/
ln -s nss/libnssckbi.so /compat/linux/usr/lib64/

Comment 2 Tijl Coosemans freebsd_committer

2017-08-15 16:57:06 UTC

Hmm, those don't seem to do anything, but this one works for me with security/ca_root_nss installed:

ln -s /usr/local/share/certs/ca-root-nss.crt /compat/linux/etc/pki/tls/certs/ca-bundle.crt

Comment 3 David Naylor freebsd_committer

2017-08-17 06:19:17 UTC

The symlink works for me.  I see the CentOS way of fixing this is to install ca-certificates (and dependencies), and to run update-ca-trust.  

I've got c7 ports of the ca-certificates and p11-kit-trust rpms (see attached, WIP).

Comment 4 David Naylor freebsd_committer

2017-08-17 06:19:56 UTC

Created attachment 185513 [details]
linux-c7-ca-certificates (and dependencies): 0.1.0

Comment 5 David Naylor freebsd_committer

2018-01-10 18:56:43 UTC

With the update to CentOS 7 we now have a new problem:
curl -v https://api.nuget.org/v3/index.json
* About to connect() to api.nuget.org port 443 (#0)
*   Trying 93.184.221.200...
* Connected to api.nuget.org (93.184.221.200) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unable to initialize NSS database
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

I've got a patch for this issue which I will post to Phabricator tomorrow(tm).  

Regarding the underlying issue of SSL CA certificates not being installed for linux-curl, how should we solve this?  I think using ca-certificates is a duplicate of ca_root_nss and that we should either a) do nothing, or b) add a pkg-message to nss(?) indicating the step required to get certificates to work?

Comment 6 David Naylor freebsd_committer

2018-01-11 18:48:03 UTC

Please see https://reviews.freebsd.org/D13869 for the review.  Specifically the changes to security/linux-*-nss (and security/vuxml).