niklasniklas
Cadet
- Joined
- Aug 10, 2017
- Messages
- 7
Oh this is fantastic! this fixed my certificate problems
fetch --no-verify-peer https://extranet.www.sol.net/files/misc/ca-root-nss.crt.src
There are 380 changes in this file. While the new version is nicely regularized, it might be better to publish just the one change to remove the bad cert so it's easier for others to review. (Which seems like a good idea for changes to a file like this, right?)
I don't think I have ever seen a "pki folder". I have designed and implemented several enterprise root CA's and a bunch of other random SSL stuff under my belt, along with automated systems to integrate enterprise CA's into system default lists alongside stuff like the Netscape ca-root-nss.crt list, fully hashed even, and I'll go so far as to say that in my opinion there is not a uniform standard as to whether these even go into a single file, a hashed directory, or where or what specifically that may be, depending on OpenSSL's installation directory and OS defaults.
On FreeNAS, it seems like they're borrowing the ports mechanism, and have what appears to be the ports Netscape NSS list in /usr/local/share/certs/ca-root-nss.crt as a single file. You could try plucking out the offending certificate from there to see if it fixes it. Note that the decoded certificate comes BEFORE the encoded certificate, so you would want to make a backup of the file, then try deleting the decoded bits starting at
all the way through the followingCode:Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT
Code:-----END CERTIFICATE-----
which follows the decoded bits and the machine-readable certificate (about 78 lines). This is not a guarantee that this will work, it's just the first thing I'd try.
I don't think I have ever seen a "pki folder". I have designed and implemented several enterprise root CA's and a bunch of other random SSL stuff under my belt, along with automated systems to integrate enterprise CA's into system default lists alongside stuff like the Netscape ca-root-nss.crt list, fully hashed even, and I'll go so far as to say that in my opinion there is not a uniform standard as to whether these even go into a single file, a hashed directory, or where or what specifically that may be, depending on OpenSSL's installation directory and OS defaults.
On FreeNAS, it seems like they're borrowing the ports mechanism, and have what appears to be the ports Netscape NSS list in /usr/local/share/certs/ca-root-nss.crt as a single file. You could try plucking out the offending certificate from there to see if it fixes it. Note that the decoded certificate comes BEFORE the encoded certificate, so you would want to make a backup of the file, then try deleting the decoded bits starting at
all the way through the followingCode:Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT
Code:-----END CERTIFICATE-----
which follows the decoded bits and the machine-readable certificate (about 78 lines). This is not a guarantee that this will work, it's just the first thing I'd try.
All but one instance is working for me now. My poudriere 11.4-RELEASE jail for building packages is failing to fetch things properly. The jail doesn't have security/ca-root-nss installed and the base behavior is a bit hard to follow. Any idea of where it's getting the bad cert from? I even tried putting a DST_Root_X3.pem file in /usr/share/certs/blacklisted in the jail.
OK, so it's somehow fetching the bad DST Root X3 cert and because it's OpenSSL 1.0.2u, it's failing with that? I've tried adding that cert to /etc/ssl/blacklisted and the related ISRG Root X1 cert to /etc/ssl/trusted and still no success. Is it reasonable to just install ca_root_nss into this builder jail?The base behavior is that there aren't any SSL certificates.
You could try plucking out the offending certificate from there to see if it fixes it.
Hello jgreco, my ca-root-nss.crt file has 151 certificates. How do I know which one is the offending one? I currently get this:
View attachment 50055