Bug 230017 - service ntpd onefetch failure: certificate verify failed
Summary: service ntpd onefetch failure: certificate verify failed
Status: Closed DUPLICATE of bug 213448
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.2-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-24 15:52 UTC by Jason Mader
Modified: 2019-09-19 02:23 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Mader 2018-07-24 15:52:20 UTC
# service ntpd onefetch
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
34374371912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error

and the included leap-seconds file, /etc/ntp/leap-seconds, is out of date: #@	3723408000
File expires on:  28 December 2017

The current is: #@	3754944000
File expires on:  28 December 2018
Comment 1 Conrad Meyer freebsd_committer 2018-07-24 16:47:19 UTC
What certificate do you see for the https://www.ietf.org site?

$ openssl s_client -connect www.ietf.org:443
...
-----BEGIN CERTIFICATE-----
MIIGVzCCBT+gAwIBAgIJAOjn+hFvt9ZRMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq
aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD
VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy
MB4XDTE4MDYxMjE1NDQxMloXDTE5MDgxMTIzMTI1MFowODEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRMwEQYDVQQDDAoqLmlldGYub3JnMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDX
gioTyWYSI3ca/KNfuTydjFTEYAmqnuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UF
vDWQTPSS21IMjm8oqd19nE5GxWirGu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2
laFB0rEmrRWBmEYbDl3/wxf5XfqIqpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY
2S+CTdE9OIVKlr4WHMfuvUYeOj06GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+O
tey7XKm1P+INjWWoegm6iCAt3VuspVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQAB
o4IC0zCCAs8wDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9j
cmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS0xMDguY3JsMGMGA1UdIARcMFow
TgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0cDovL2NlcnRpZmljYXRl
cy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwgYIGCCsG
AQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29jc3Auc3RhcmZpZWxkdGVj
aC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlmaWNhdGVzLnN0YXJmaWVs
ZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8GA1UdIwQYMBaAFCVFgWhQ
Jjg9Oy0svs1q2bY9s2ZjMB8GA1UdEQQYMBaCCiouaWV0Zi5vcmeCCGlldGYub3Jn
MB0GA1UdDgQWBBQG/gur2OZ0bvzEcwKF96lIftE0TzCCAQQGCisGAQQB1nkCBAIE
gfUEgfIA8AB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABY/Ss
DTMAAAQDAEcwRQIhAL+3euwvcq+Fcvo679LRwxXFwBPzbs21PsdvxxAIyQo0AiAU
9j4Al/zhZzkfmkCE+0bEpGIXtHePDZK3MfC0S4OqagB2AHR+2oMxrTMQkSGcziVP
QnDCv/1eQiAIxjc1eeYQe8xWAAABY/SsFKQAAAQDAEcwRQIhAO+lvyyEV5rlkU0H
JGx4FBJMQ4F2PghUmyzl4TjFb6/RAiBeNhkOVWtKXvhgHildFUrqJMstdeqiSs6x
k8KaX4b6EjANBgkqhkiG9w0BAQsFAAOCAQEApAA3D/w2RPkyGaKdhjAjXS9S0TSS
d3jJPwsLZF3wbvPFED6XdDZpD2kUznF6OT2VXBBBd4vFlg8E7h61Qs717aO668/g
LSCxZUbfMrddEIi0QGT/BJB9tR6FkSIxp/Gf6qolzufrq5j6IQ2RN4nXlFVo7HFM
di+8tYNFztDSlkmaL0x4Q7gchDhNzubcUq6gGGUMEEuHIL0BoFrxgXnb0CfH/VP1
nO0jJ65wnGobWIo7b1Y9lpsG+INMvChTe4Uz/6lLdGA3AqAMgn/Hg0GpuGoN12PD
iyIyHJ4FylXvxr+PVsqpQnEwFsFdVgS0uzdWMAq/QECglhFBwAA4A+I4ig==
-----END CERTIFICATE-----
...
---
SSL handshake has read 4782 bytes and written 219 bytes
Verification: OK
Comment 2 Conrad Meyer freebsd_committer 2018-07-24 16:48:50 UTC
Do you have the ca_root_nss package installed?
Comment 3 Jason Mader 2018-07-24 16:56:08 UTC
(In reply to Conrad Meyer from comment #2)

Same certificate as you,

depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate

ca_root_nss package is not installed.
Comment 4 Conrad Meyer freebsd_committer 2018-07-24 16:58:32 UTC
(In reply to Jason Mader from comment #3)
> ca_root_nss package is not installed.

Well, there's the problem.
Comment 5 Jason Mader 2018-07-24 17:00:53 UTC
(In reply to Conrad Meyer from comment #4)

Except this function is from base. It should work without a package. Also, base has an out of date leap-seconds file at the time of release.
Comment 6 Conrad Meyer freebsd_committer 2018-07-24 17:03:24 UTC
(In reply to Jason Mader from comment #5)
Ah, I'm with you there.  ca_root_nss should be in base.

(Probably duplicate of bug 213448 (or vice versa).)
Comment 7 Koichiro Iwao freebsd_committer 2019-09-19 02:23:24 UTC

*** This bug has been marked as a duplicate of bug 213448 ***