Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Bug 213448] The /etc/rc.d/ntpd script cannot fetch NTPD leap-seconds file if ca_root_nss package not installed
114 views
Skip to first unread message
bugzilla...@freebsd.org
Oct 13, 2016, 8:58:15 AM10/13/16
to freebs...@freebsd.org
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
Bug ID: 213448
Summary: The /etc/rc.d/ntpd script cannot fetch NTPD
leap-seconds file if ca_root_nss package not installed
Product: Base System
Version: 10.3-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: freebs...@FreeBSD.org
Reporter: vi...@khera.org
CC: freebs...@FreeBSD.org
CC: freebs...@FreeBSD.org
I booted up a test VM I have that hasn't been started for a while. The console
logged this:
Oct 13 08:36:25 devbox kernel: Certificate verification failed for
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root
Certificate Authority - G2
Oct 13 08:36:25 devbox kernel: 34380992136:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Oct 13 08:36:25 devbox kernel: fetch:
https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error
I traced it down to the lack of a proper certificate chain:
[root@devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield
Technologies, Inc./CN=Starfield Root Certificate Authority - G2
34380992136:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication
error
[root@devbox]# pkg install ca_root_nss
[[ pkg install details elided as irrelevent ]]
[root@devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: size of remote
file is not known
leap-seconds.list 10 kB 8155 kBps 00m00s
[root@devbox]#
So it appears that the base system ntpd requires the package to properly
function: The "fetch" feature of /etc/rc.d/ntpd fails as shown here.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebs...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs...@freebsd.org"
Bug ID: 213448
Summary: The /etc/rc.d/ntpd script cannot fetch NTPD
leap-seconds file if ca_root_nss package not installed
Product: Base System
Version: 10.3-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: freebs...@FreeBSD.org
Reporter: vi...@khera.org
CC: freebs...@FreeBSD.org
CC: freebs...@FreeBSD.org
I booted up a test VM I have that hasn't been started for a while. The console
logged this:
Oct 13 08:36:25 devbox kernel: Certificate verification failed for
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root
Certificate Authority - G2
Oct 13 08:36:25 devbox kernel: 34380992136:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
Oct 13 08:36:25 devbox kernel: fetch:
https://www.ietf.org/timezones/data/leap-seconds.list: Authentication error
I traced it down to the lack of a proper certificate chain:
[root@devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
Certificate verification failed for /C=US/ST=Arizona/L=Scottsdale/O=Starfield
Technologies, Inc./CN=Starfield Root Certificate Authority - G2
34380992136:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed:/u/yertle1/sources/usr10/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1191:
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Authentication
error
[root@devbox]# pkg install ca_root_nss
[[ pkg install details elided as irrelevent ]]
[root@devbox]# fetch https://www.ietf.org/timezones/data/leap-seconds.list
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: size of remote
file is not known
leap-seconds.list 10 kB 8155 kBps 00m00s
[root@devbox]#
So it appears that the base system ntpd requires the package to properly
function: The "fetch" feature of /etc/rc.d/ntpd fails as shown here.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebs...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs...@freebsd.org"
bugzilla...@freebsd.org
Oct 13, 2016, 9:09:33 AM10/13/16
to freebs...@freebsd.org
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
--- Comment #1 from Vick Khera <vi...@khera.org> ---
I suspect the workaround here is to add --no-verify-peer to
ntp_leapfile_fetch_opts in the /etc/defaults/rc.conf file, but that seems wrong
and is just asking for a hack to happen.
--- Comment #1 from Vick Khera <vi...@khera.org> ---
I suspect the workaround here is to add --no-verify-peer to
ntp_leapfile_fetch_opts in the /etc/defaults/rc.conf file, but that seems wrong
and is just asking for a hack to happen.
bugzilla...@freebsd.org
Oct 13, 2016, 12:17:02 PM10/13/16
to freebs...@freebsd.org
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
Mark Linimon <lin...@FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|freebs...@FreeBSD.org |freeb...@FreeBSD.org
CC|freebs...@FreeBSD.org |
Mark Linimon <lin...@FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|freebs...@FreeBSD.org |freeb...@FreeBSD.org
CC|freebs...@FreeBSD.org |
0 new messages