pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Cannot git-clone pkgsrc: SSL certificate problem: unable to get local issuer certificate



Ottavio Caruso <ottavio2006-usenet2012%yahoo.com@localhost> writes:

> Is it just me? I've just compiled devel/git from a local .tar.gz of
> pkgsrc. I then deleted the local branch and tried to clone it with the
> newly installed git:
>
> $ git clone https://github.com/NetBSD/pkgsrc.git -b pkgsrc-2019Q1
> --depth=1   pkgsrc-2019Q1
> Cloning into 'pkgsrc-2019Q1'...
> fatal: unable to access 'https://github.com/NetBSD/pkgsrc.git/': SSL
> certificate problem: unable to get local issuer certificate
>
> Is this intended behaviour?

Well, that's really a complicated question.

* Information to understand why this hard, but not solve your problem

** 100 CAs does not make sense.

Basically, there is a notion that there are ~100 entities out there that
can be trusted to certify name/key bindings.  These are typically called
"root CAs" or "CAs configured as trust acnhors".

While this is the standard approach, many find it not credible, in that
there is no basis for confidence that with very high probability *every
single one* of those ~100 is behaving properly.   There have been
incidents; the following links are about a problem with many ripples.
  https://www.securityweek.com/firefox-63-distrust-all-symantec-root-certificates
  https://security.stackexchange.com/questions/108517/should-i-be-concerned-that-google-no-longer-trusts-specific-symantec-root-ca-cer
  https://wiki.mozilla.org/CA:Symantec_Issues

Other CAs are run by governments, and I remember other problems but not
the details.

** OS defaults

Every OS (I include "distribution" of GNU/Linux as "an OS") gets to
decide what is and is not in the default trust anchor set.

** NetBSD defaults

NetBSD has so far not chosen to install a set of trust anchors, leaving
it the user.

** pkgsrc defaults

pkgsrc follows the NetBSD defaults when installing a new openssl on
NetBSD.  I am unclear on what happens on GNU/Linux.

* How to solve your problem

** trust anchors in your OS

First, you should understand how your OS deals with trust anchors.

** which openssl is used

git links against openssl.  pkgsrc on your system may choose the base
openssl, or it may choose pkgsrc openssl.  pkgsrc openssl may or may not
look in the sytem place for trust anchors.  Basically you have to figure
this out.

** mozilla rootcerts

There is a package mozilla-rootcerts in pkgsrc.  This provides the set
of trust anchors that mozilla has determined meets their requirements
for being in the default trust anchor set.  There is a way to install
these - see the scripts in the mozilla-rootcerts package.

** workaround

There is an environment variable and config to set to tell git not to
check certificates.  That's no worse than git:.

https://stackoverflow.com/questions/9008309/how-do-i-set-git-ssl-no-verify-for-specific-repos-only


Home | Main Index | Thread Index | Old Index