search

TritonDataCenter / pkgsrc-joyent

Various pkgsrc packages used by Joyent, not committed upstream yet
30 stars 31 forks source link

digicert ssl certs not trusted when using pkgsrc.joyent.com with os x #15

Closed bixu closed 9 years ago

bixu commented 9 years ago 
$ cat /usr/pkg/etc/pkgin/repositories.conf 
# $Id: repositories.conf,v 1.3 2012/06/13 13:50:17 imilh Exp $
#
# Pkgin repositories list
#
# Simply add repositories URIs one below the other
#
# WARNING: order matters, duplicates will not be added, if two
# repositories hold the same package, it will be fetched from 
# the first one listed in this file.
#
# This file format supports the following macros:
# $arch to define the machine hardware platform
# $osrelease to define the release version for the operating system
#
# Remote ftp repository
#
# ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/$arch/5.1/All
#
# Remote http repository
#
# http://mirror-master.dragonflybsd.org/packages/$arch/DragonFly-$osrelease/stable/All
#
# Local repository (must contain a pkg_summary.gz or bz2)
#
# file:///usr/pkgsrc/packages/All
#
http://pkgsrc.joyent.com/packages/Darwin/2014Q2/i386/All

$ sudo pkgin update-all
Password:
database for http://pkgsrc.joyent.com/packages/Darwin/2014Q2/i386/All is up-to-date

$ sudo pkgin full-upgrade
nothing to do.

$ which curl
/usr/pkg/bin/curl

$ pkgin list | grep certs
mozilla-rootcerts-1.0.20121229nb1 Root CA certificates from the Mozilla Project

$ curl -v https://global-root.digicert.com
* About to connect() to global-root.digicert.com port 443 (#0)
*   Trying 64.58.225.121...
* Connected to global-root.digicert.com (64.58.225.121) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /usr/pkg/etc/openssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
MerlinDMC commented 9 years ago

And you're sure to have the CA certs package installed?

should be in mozilla-rootcerts afaik.

bixu commented 9 years ago

Just updated comment. Yes.

bixu commented 9 years ago

Looks like post-install for this package should do mozilla-rootcerts install

jperkin commented 9 years ago

This should have been fixed since 2014Q3.