Bug 222109 - sysutils/vm-bhyve: should depend on security/ca_root_nss
Summary: sysutils/vm-bhyve: should depend on security/ca_root_nss
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Alan Somers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-06 19:00 UTC by Alan Somers
Modified: 2018-01-30 16:23 UTC (History)
2 users (show)

See Also:
asomers: maintainer-feedback? (churchers)


Attachments
Add ca_root_nss as a RUN_DEPENDS for vm-bhyve (545 bytes, patch)
2017-09-06 19:05 UTC, Alan Somers
asomers: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Somers freebsd_committer 2017-09-06 19:00:29 UTC
"vm iso" uses fetch(1) to download iso files.  A major source of iso files is download.freebsd.org.  If no other source of certificates has been installed, fetch will use OpenSSL's default CA cert and path settings, but those don't recognize the Let's Encrypt certificate used by download.freebsd.org.  The result is an error like this one:

$ sudo vm iso https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34374362520:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso: Authentication error

Installing security/ca_root_nss provides an alternative bundle of root certificates, which do trust download.freebsd.org.  Since download.freebsd.org is so critically important to most vm-bhyve users, security/ca_root_nss should be a RUN_DEPENDS.
Comment 1 Alan Somers freebsd_committer 2017-09-06 19:05:28 UTC
Created attachment 186124 [details]
Add ca_root_nss as a RUN_DEPENDS for vm-bhyve
Comment 2 Alan Somers freebsd_committer 2017-09-15 17:15:09 UTC
Churchers, do you agree with adding this dependency?
Comment 3 commit-hook freebsd_committer 2018-01-30 16:21:14 UTC
A commit references this bug:

Author: asomers
Date: Tue Jan 30 16:20:41 UTC 2018
New revision: 460414
URL: https://svnweb.freebsd.org/changeset/ports/460414

Log:
  sysutils/vm-bhyve: add security/ca_root_nss as a RUN_DEPENDS

  "vm iso" uses fetch(1) to download iso files.  A major source of iso files
  is download.freebsd.org.  If no other source of certificates has been
  installed, fetch will use OpenSSL's default CA cert and path settings, but
  those don't recognize the Let's Encrypt certificate used by
  download.freebsd.org.

  Installing security/ca_root_nss provides an alternative bundle of root
  certificates, which do trust download.freebsd.org.  Since
  download.freebsd.org is so critically important to most vm-bhyve users,
  security/ca_root_nss should be a RUN_DEPENDS.

  PR:		222109
  Approved by:	churchers@gmail.com (maintainer timeout)
  Sponsored by:	Spectra Logic Corp

Changes:
  head/sysutils/vm-bhyve/Makefile