Something wrong at git?
Bob Melson
fatal: unable to access 'https://git.FreeBSD.org/src.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)
or
fatal: unable to access 'https://git.FreeBSD.org/ports.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)
On the surface, this appears to indicate a problem at git, but it could also be that I've screwed something up locally.
Anybody there have any words of wisdom they'd care to share?
Help.
Bob Melson
-- Robert G. Melson | Rio Grande Microsolutions | El Paso, TX -- A modern liberal is someone who doesn't care what you do, as long as it's compulsory. M. Stanton Evans
Jon Radel
For the past several days all calls to git to update /usr/src or /usr/ports have failed with the following error mesage:
fatal: unable to access 'https://git.FreeBSD.org/src.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)
or
fatal: unable to access 'https://git.FreeBSD.org/ports.git/': server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)
On the surface, this appears to indicate a problem at git, but it could also be that I've screwed something up locally.
The Let's Encrypt cert offered up by git.freebsd.org went valid on 21 April, so probably has been in place since then. It's valid in any case.
Personally I'm looking a different surface than you appear to be: "server verification failed: certificate signer not trusted. (CAfile: none CRLfile: none)" sorta sounds more like you don't trust any certs since you've deleted, moved, or broken linkage to your root CA trust store. Do other tools that speak HTTPS (curl, wget, what-have-you) on that machine trust certs from Let's Encrypt? That might well narrow down what's broken.
BTW, going to one of
those URLs from a random functional browser would have narrowed
things down very quickly.
-- --Jon Radel j...@radel.com
Jon Radel
BTW, going to one of those URLs from a random functional browser would have narrowed things down very quickly.
I should know to hold off on hitting send until all my thoughts on the matter settle a bit.
Remember that there are mirror servers involved, so the fact that
I can reach functional git servers from Virginia (or my test point
closest to you physically, in Kansas City) doesn't really prove
that you're not hitting a broken one from Texas. Try something
like
wget -S https://git.freebsd.org/src.git/
which will show you the redirects and IP addresses of the actual servers you're hitting, and complain bitterly if wget itself can't validate the certificates, from one or more machines on your site. This should be informative.
And if you have actually tripped across a mirror server that is
broken, reporting the IP address involved would be very helpful.
-- --Jon Radel j...@radel.com