Error code 31: System has no trusted CA store

msmfoster commented 5 years ago

I managed to compile inadyn 2.5 for OpenBSD 6.5 using the fix covered in #241. Configuration file setup for default@dnsomatic.com. Configuration file as follows:

# Basic Settings
period          = 300
strict-ssl      = false
ca-trust-file   = /etc/ssl/cert.pem

# DNS-O-Matic Controls
# With multiple usernames at the same provider, index with :#

provider default@dnsomatic.com:1 {
        username = USERNAME
        password = PASS
        hostname = proteus.HOSTNAME1
}

provider default@dnsomatic.com:2 {
        username = USERNAME
        password = PASS
        hostname = proteus.HOSTNAME2
}

When I try to run inadyn, I get the following:

root@proteus /tmp: inadyn-2.5 -f /etc/inadyn.conf -n
inadyn-2.5[5119]: In-a-dyn version 2.5 -- Dynamic DNS update client.
inadyn-2.5[5119]: Error code 31: System has no trusted CA store

I've confirmed that cert.pem is readable by all, and the file parses when I run: cat /etc/ssl/cert.pem | certtool -i

Additionally, I went directly to the OpenBSD repository and got the version from them. The files are identical.

I've moved the time to /tmp to no avail. And I can't seem to find a way to make it more verbose to see if there is anything more I can do.

Any insights?

troglobit commented 5 years ago

How did you configure inadyn? I noticed my own build on my 6.1 install had used GnuTLS instead of LibreSSL, but as soon as I rebuilt with --enable-openssl the above worked¹. So maybe that's the root cause in your setup?

¹) strict-ssl has been removed

msmfoster commented 5 years ago

You nailed it. That fixed the problem and the client seems to be behaving correctly now. For completeness, I've added the outputs in the rest of the post.

This is the standard ./configure output:

root@triton /tmp/inadyn-2.5: ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/local/bin/gmkdir -p
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking whether gcc needs -traditional... no
checking for ANSI C header files... (cached) yes
checking for arpa/inet.h... yes
checking for arpa/nameser.h... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking for sys/ioctl.h... yes
checking for sys/socket.h... yes
checking for sys/types.h... (cached) yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for uint32_t... yes
checking for pid_t... yes
checking vfork.h usability... no
checking vfork.h presence... no
checking for vfork.h... no
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking for atexit... yes
checking for memset... yes
checking for poll... yes
checking for socket... yes
checking for strerror... yes
checking for library containing dlopen... none required
checking for pidfile in -lutil... yes
checking for pidfile... yes
checking for strlcpy... yes
checking for strlcat... yes
checking for strtonum... yes
checking for utimensat... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-unknown-openbsd6.5
checking host system type... x86_64-unknown-openbsd6.5
checking how to print strings... print -r
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 196608
checking how to convert x86_64-unknown-openbsd6.5 file names to x86_64-unknown-openbsd6.5 format... func_convert_file_noop
checking how to convert x86_64-unknown-openbsd6.5 file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$
checking for dlltool... no
checking how to associate runtime and link libraries... print -r --
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... openbsd6.5 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... no
checking whether to build static libraries... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for confuse... yes
checking for cfg_init in -lconfuse... yes
checking confuse.h usability... yes
checking confuse.h presence... yes
checking for confuse.h... yes
checking for GnuTLS... yes
checking for gnutls_init in -lgnutls... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking gnutls/x509.h usability... yes
checking gnutls/x509.h presence... yes
checking for gnutls/x509.h... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating inadyn.service
config.status: creating src/Makefile
config.status: creating include/Makefile
config.status: creating man/Makefile
config.status: creating examples/Makefile
config.status: creating include/config.h
config.status: include/config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands

Here is the make output:

root@triton /tmp/inadyn-2.5: make
Making all in src
  CC       inadyn-cache.o
  CC       inadyn-error.o
  CC       inadyn-conf.o
  CC       inadyn-os.o
  CC       inadyn-http.o
  CC       inadyn-plugin.o
  CC       inadyn-tcp.o
  CC       inadyn-sha1.o
  CC       inadyn-base64.o
  CC       inadyn-makepath.o
  CC       inadyn-md5.o
  CC       inadyn-log.o
  CC       inadyn-gnutls.o
  CC       ../plugins/inadyn-common.o
  CC       ../plugins/inadyn-changeip.o
  CC       ../plugins/inadyn-cloudxns.o
  CC       ../plugins/inadyn-ddnss.o
  CC       ../plugins/inadyn-dhis.o
  CC       ../plugins/inadyn-dnsexit.o
  CC       ../plugins/inadyn-dtdns.o
  CC       ../plugins/inadyn-duckdns.o
  CC       ../plugins/inadyn-duiadns.o
  CC       ../plugins/inadyn-dyndns.o
  CC       ../plugins/inadyn-dynv6.o
  CC       ../plugins/inadyn-dynv6-ipv4.o
  CC       ../plugins/inadyn-easydns.o
  CC       ../plugins/inadyn-freedns.o
  CC       ../plugins/inadyn-freemyip.o
  CC       ../plugins/inadyn-generic.o
  CC       ../plugins/inadyn-giradns.o
  CC       ../plugins/inadyn-sitelutions.o
  CC       ../plugins/inadyn-tunnelbroker.o
  CC       ../plugins/inadyn-tzo.o
  CC       ../plugins/inadyn-zoneedit.o
  CC       ../plugins/inadyn-zerigo.o
  CC       ../plugins/inadyn-dnspod.o
  CCLD     inadyn
Making all in include
make  all-am
Making all in man
Making all in examples

And here we are with the --unable-openssl options:

root@triton /tmp/inadyn-2.5: ./configure --enable-openssl
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/local/bin/gmkdir -p
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking whether gcc needs -traditional... no
checking for ANSI C header files... (cached) yes
checking for arpa/inet.h... yes
checking for arpa/nameser.h... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for stdint.h... (cached) yes
checking for string.h... (cached) yes
checking for sys/ioctl.h... yes
checking for sys/socket.h... yes
checking for sys/types.h... (cached) yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for uint32_t... yes
checking for pid_t... yes
checking vfork.h usability... no
checking vfork.h presence... no
checking for vfork.h... no
checking for fork... yes
checking for vfork... yes
checking for working fork... yes
checking for working vfork... (cached) yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking for atexit... yes
checking for memset... yes
checking for poll... yes
checking for socket... yes
checking for strerror... yes
checking for library containing dlopen... none required
checking for pidfile in -lutil... yes
checking for pidfile... yes
checking for strlcpy... yes
checking for strlcat... yes
checking for strtonum... yes
checking for utimensat... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking build system type... x86_64-unknown-openbsd6.5
checking host system type... x86_64-unknown-openbsd6.5
checking how to print strings... print -r
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 196608
checking how to convert x86_64-unknown-openbsd6.5 file names to x86_64-unknown-openbsd6.5 format... func_convert_file_noop
checking how to convert x86_64-unknown-openbsd6.5 file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$
checking for dlltool... no
checking how to associate runtime and link libraries... print -r --
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... openbsd6.5 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... no
checking whether to build static libraries... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for confuse... yes
checking for cfg_init in -lconfuse... yes
checking confuse.h usability... yes
checking confuse.h presence... yes
checking for confuse.h... yes
checking for OpenSSL... yes
checking for EVP_EncryptInit in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
checking for openssl/crypto.h... yes
checking for openssl/x509.h... yes
checking for openssl/pem.h... yes
checking for openssl/ssl.h... yes
checking for openssl/tls1.h... yes
checking for openssl/err.h... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating inadyn.service
config.status: creating src/Makefile
config.status: creating include/Makefile
config.status: creating man/Makefile
config.status: creating examples/Makefile
config.status: creating include/config.h
config.status: executing depfiles commands
config.status: executing libtool commands

And the make output:

root@triton /tmp/inadyn-2.5: make
Making all in src
  CC       inadyn-main.o
  CC       inadyn-ddns.o
  CC       inadyn-cache.o
  CC       inadyn-conf.o
  CC       inadyn-os.o
  CC       inadyn-http.o
  CC       inadyn-plugin.o
  CC       inadyn-openssl.o
  CC       ../plugins/inadyn-common.o
  CC       ../plugins/inadyn-changeip.o
  CC       ../plugins/inadyn-cloudxns.o
  CC       ../plugins/inadyn-ddnss.o
  CC       ../plugins/inadyn-dhis.o
  CC       ../plugins/inadyn-dnsexit.o
  CC       ../plugins/inadyn-dtdns.o
  CC       ../plugins/inadyn-duckdns.o
  CC       ../plugins/inadyn-duiadns.o
  CC       ../plugins/inadyn-dyndns.o
  CC       ../plugins/inadyn-dynv6.o
  CC       ../plugins/inadyn-dynv6-ipv4.o
  CC       ../plugins/inadyn-easydns.o
  CC       ../plugins/inadyn-freedns.o
  CC       ../plugins/inadyn-freemyip.o
  CC       ../plugins/inadyn-generic.o
  CC       ../plugins/inadyn-giradns.o
  CC       ../plugins/inadyn-sitelutions.o
  CC       ../plugins/inadyn-tunnelbroker.o
  CC       ../plugins/inadyn-tzo.o
  CC       ../plugins/inadyn-zoneedit.o
  CC       ../plugins/inadyn-zerigo.o
  CC       ../plugins/inadyn-dnspod.o
  CCLD     inadyn
Making all in include
make  all-am
Making all in man
Making all in examples

troglobit commented 5 years ago

Awesome, great to hear that was it! :)

troglobit / inadyn

Error code 31: System has no trusted CA store #255