Hello,
I was attempting to update a server when I encountered this...
rm -rf /SOME_PATH/hbsd-install-tmp
mkdir -p /SOME_PATH/hbsd-install-tmp
hbsd-update -V -n -T -t /SOME_PATH/hbsd-install-tmp
[*] Looking up version info with DNSSEC enabled.
hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
[*] Latest build: hbsd-v1400006-b8a75dff33d23d299a0bcec0c144b15b137ac801
/SOME_PATH/hbsd-install-tmp/update.tar 728 MB
16 MBps 43s
[*] Verified hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[+] Remote hash:
b88500aa0c5bf3e92c2fc6a9aabff82b64688f14ba81d3288fd81189770f7c59
[*] Checking validity of the public key
[*] Temp directory kept at: /SOME_PATH/hbsd-install-tmp
[*] Public key failed to validate.
Digging around, I track it down to script defined function
"check_pubkey_validity()" and this part:
${OPENSSL} verify \
${caopt} ${capath} \
${tmpdir}/pubkey.pem \
> /dev/null 2>&1
Checking from the command line using the expanded form with values
from variables:
"/usr/bin/openssl verify -CApath /usr/share/keys/hbsd-update/trusted
/root/hbsd-install-tmp/pubkey.pem"
Trying this and:
C = US, ST = Maryland, O = HardenedBSD, CN =
updater.hardenedbsd.org,
emailAddress =
co...@hardenedbsd.org
error 10 at 0 depth lookup: certificate has expired
error /root/hbsd-install-tmp/pubkey.pem: verification failed
Checking:
openssl x509 -in /root/hbsd-install-tmp/pubkey.pem -noout -text | grep
-i -e before -e after
Not Before: Nov 15 16:55:23 2022 GMT
Not After : Dec 15 16:55:23 2023 GMT
It looks like an expired cert. Is there anything I can do to resolve
this other than bypass the security check?
Thanks!