Bug 228621 - [patch] Certificate validation error in ntpd leap file / ietf.org chain
Summary: [patch] Certificate validation error in ntpd leap file / ietf.org chain
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-05-30 23:19 UTC by Jeff Schmidt
Modified: 2018-10-12 10:20 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Schmidt 2018-05-30 23:19:14 UTC
$ uname -a
FreeBSD  11.2-BETA3 FreeBSD 11.2-BETA3 #0 r334196: Fri May 25 05:07:41 UTC 2018     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386

$ service ntpd onefetch
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
673056224:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error

$ fetch https://www.ietf.org/timezones/data/leap-seconds.list
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
673056224:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error
Comment 1 Jeff Schmidt 2018-05-31 19:41:56 UTC
I believe this is a result of no CA root store being installed by default.  Which I'm sure was a hotly debated topic and has been decided upon for noble reasons.

However, that decision causes ntpd, which *is* installed by default, to not grab the leap file because ietf.org is https.

The easy fix is to change the script to:
fetch --no-verify-peer https://www.ietf.org/timezones/data/leap-seconds.list

Not the most elegant, but the only option if root certs will not be available for a default package.
Comment 2 Jeff Schmidt 2018-05-31 20:01:31 UTC
Suggest this patch:
$ diff -u rc.conf.orig rc.conf
--- rc.conf.orig	2018-05-31 19:56:39.243329000 +0000
+++ rc.conf	2018-05-31 19:57:39.598165000 +0000
@@ -4,5 +4,7 @@
 ifconfig_re0="DHCP"
 sshd_enable="YES"
 ntpd_enable="YES"
+# Allow default ntpd install to download leap file over SSL with no root cas installed
+ntp_leapfile_fetch_opts="--no-verify-peer"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="AUTO"
Comment 3 Jeremy Chadwick 2018-08-29 18:24:33 UTC
I haven't seen this error myself and I bet many users haven't as well.  My theory is that this is because we happen to have ca_root_nss installed via pkg (a.k.a. security/ca_root_nss in ports). This is a common dependency in many different packages.

ca_root_nss package is responsible for creating /usr/local/etc/ssl/cert.pem, which base system OpenSSL (libssl.so.8) reads/honours.  You can verify this with truss.

pkg info -l ca_root_nss will not show this file in its packaging list because of how ca_root_nss works.  Some part of the pkg/port creates a hard link of /usr/local/etc/ssl/cert.pem --> /usr/local/share/certs/ca-root-nss.crt, of which the latter *is* in the package list.  The pkg-message says it uses a symlink but this is false; see PR 228550 for details.

This is really part of a bigger problem that is the whole "base system" concept, but I don't want to get off-topic.  The --no-verify-peer kludge should be acceptable, though I would strongly suggest asking secteam@ first.