Currently `arc list` fails as following. ---------------------------------------------------------------------- yasu@rolling-vm-freebsd2[1051]% arc list Exception [cURL/60] (https://reviews.freebsd.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connect ion. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connec ting with. Make sure the certificate you have installed is signed for the correct domain. (Run with `--trace` for a full exception trace.) yasu@rolling-vm-freebsd2[1052]% ---------------------------------------------------------------------- Since reviews.freebsd.org uses SSL certificate issued by Let's Encrypt, I guess it relates to the expiration of 'DST Root CA X3' root certificate.
(In reply to Yasuhiro Kimura from comment #0) Yes, and a workaround is putting: curl.cainfo="/usr/local/share/certs/ca-root-nss.crt" to /usr/local/etc/php/ext-20-curl.ini
(In reply to Li-Wen Hsu from comment #1) Thanks. It works fine. yasu@rolling-vm-freebsd2[1054]% cat /usr/local/etc/php/ext-20-curl.ini extension=curl.so curl.cainfo="/usr/local/share/certs/ca-root-nss.crt" yasu@rolling-vm-freebsd2[1055]% arc list Needs review D27494: Mk/Uses/ninja.mk: Fix build error when both 'emacs' and 'ninja' are added to USES Needs review D27863: Move Mk/bsd.ruby.mk to Mk/Uses/ruby.mk. Needs review D28437: fetch(3): Fix wrong usage of proxy when request is redirected to different URL Needs review D28438: fetch(3); Add support of HTTPS_PROXY/https_proxy environment variables Needs Revision D28666: Remove unnecessary '3.[0-6]+' argument of 'USES=python' from Makefiles * Needs review D32175: security/clamav-lts: Repocopy from security/clamav * Needs review D32233: devel/git: Update to 2.33.0 yasu@rolling-vm-freebsd2[1056]%
Created attachment 228311 [details] 0001-devel-arcanist-lib-Add-a-php-config-to-use-CA-info-f.patch
And for people to understand why this issue comes up: arcanist ships its own copy of CA certs (which wasn't updated in a while) in /usr/local/lib/php/arcanist/resources/ssl/default.pem which is used by default. You can also put a custom.pem there but I have no idea what takes precedence. The code to add per-server certs was started at some point but it looked like it is never called so you cannot fix this in your local arc config to my understanding.
(In reply to Bjoern A. Zeeb from comment #4) Oh, I was wrong to think that the bundled CA info was from php-curl. The comment message in my patch is wrong. grembo is working on another patch to replace /usr/local/lib/php/arcanist/resources/ssl/default.pem with a link to /etc/ssl/cert.pem , which sounds a better solution.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=21ddc093a48b642a6a0c533069ed2118d0cdd066 commit 21ddc093a48b642a6a0c533069ed2118d0cdd066 Author: Michael Gmelin <grembo@FreeBSD.org> AuthorDate: 2021-10-01 11:03:43 +0000 Commit: Michael Gmelin <grembo@FreeBSD.org> CommitDate: 2021-10-01 11:17:28 +0000 devel/arcanist-lib: Use Mozilla root CA bundle This fixes problems with Let's Encrypt certificates after the R3 Let's Encrypt intermediate CA expired. Arcanist uses its own certificate bundle by default (default.pem), overriding curl's default, unless curl.cainfo is set explicitly. The port now replaces this custom bundle with a symlink to Mozilla's root CA bundle as installed by security/ca_root_nss. PR: 258824 Reported by: yasu devel/arcanist-lib/Makefile | 5 +++++ 1 file changed, 5 insertions(+)
(In reply to Li-Wen Hsu from comment #5) I was torn between adding a symlink to /etc/ssl/cert.pem and /usr/local/share/certs/ca_root_nss.crt. I ended up doing the latter and also added a dependency to security/ca_root_nss as this seems like a more stable solution. By keeping arcanist's behavior of setting default.pem in case curl.cainfo isn't set, it's still compatible with installations that for some reason overwrite default.pem locally - even though I think the way arcanist makes use of curl's configuration (reading curl.cainfo, but ignoring defaults) is not good.
@yasu I think this should be okay now, thanks for reporting.
(In reply to Michael Gmelin from comment #8) Would you please MFH to quarterly branch?
(In reply to Yasuhiro Kimura from comment #9) 2021Q4 doesn't exist yet (but should be very soon), that's why I didn't bother bringing it to 2021Q3.
A commit in branch 2021Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=43ac6aef769c55551762dd013c5ab09ebcde8e6a commit 43ac6aef769c55551762dd013c5ab09ebcde8e6a Author: Michael Gmelin <grembo@FreeBSD.org> AuthorDate: 2021-10-01 11:03:43 +0000 Commit: Michael Gmelin <grembo@FreeBSD.org> CommitDate: 2021-10-02 12:54:09 +0000 devel/arcanist-lib: Use Mozilla root CA bundle This fixes problems with Let's Encrypt certificates after the R3 Let's Encrypt intermediate CA expired. Arcanist uses its own certificate bundle by default (default.pem), overriding curl's default, unless curl.cainfo is set explicitly. The port now replaces this custom bundle with a symlink to Mozilla's root CA bundle as installed by security/ca_root_nss. PR: 258824 Reported by: yasu (cherry picked from commit 21ddc093a48b642a6a0c533069ed2118d0cdd066) devel/arcanist-lib/Makefile | 5 +++++ 1 file changed, 5 insertions(+)