OpenBSD Journal

September 30th, 2021 syspatches: some assembly might be required

Contributed by Peter N. M. Hansteen on from the intermediate solutions for intermediate problems dept.

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.

While preparing, please do read Let's Encrypt's advice, and Stuart Henderson's sage advice on openbsd-misc@.

From the latter:

[…]
Try fetching it normally first, as a number of mirrors are either
unaffected, or have a workaround on the server side, but if that fails
you have two options:

- edit /etc/installurl to allow you to fetch the syspatches. Either
switch https to http (the updates are signed and verified anyway), or
use another mirror (including ftp.usa.openbsd.org, ftp.hostserver.de,
cdn.openbsd.org).

- locate the expired certificate in /etc/ssl/cert.pem and remove it, it
is the one with this in the header above:
=== /O=Digital Signature Trust Co./CN=DST Root CA X3
[…]

(The 6.8 and 6.9 -stable branches also have updates to remove the expired root certificate.)


Comments
  1. By chas (chas) chas@syro.org on

    I just pulled all the ftp: and https: URLs for the United States and added them to my /etc/installurl file. I am pasting them here, in case other users from North America find this convenient.

    I am (distance-wise) closest to the Illinois mirror, but that mirror does not work with the certificate expiry; an ftp: URL is required to update the certs.

    I used the Boise ftp: mirror to run syspatch for the new certs, but a full run of pkg_add -u failed there with a connection limit error, in case anyone attempts it. The Dallas mirror let a full run of pkg_add complete.

    It might be helpful for the installer populate the installurl file with the best mirrors, if it determines a country TLD.

    #USA (San Francisco, CA)
    #ftp://mirrors.sonic.net/pub/OpenBSD/
    #USA (Boise, ID)
    #ftp://mirrors.syringanetworks.net/pub/OpenBSD/
    #USA (Cambridge, MA)
    #ftp://mirrors.mit.edu/pub/OpenBSD/
    #USA (New York, NY)
    #ftp://ftp4.usa.openbsd.org/pub/OpenBSD/
    #USA (Rochester, NY)
    #ftp://ftp.usa.openbsd.org/pub/OpenBSD/
    #USA (Dallas, TX)
    #ftp://mirror.esc7.net/pub/OpenBSD/
    #USA (San Francisco, CA)
    #https://mirrors.sonic.net/pub/OpenBSD/
    #USA (Boise, ID)
    #https://mirrors.syringanetworks.net/pub/OpenBSD/
    #USA (Arlington Heights, IL)
    https://mirrors.gigenet.com/pub/OpenBSD/
    #USA (Wesn Lafayette, IN)
    #https://plug-mirror.rcac.purdue.edu/pub/OpenBSD/
    #USA (Cambridge, MA)
    #https://mirrors.mit.edu/pub/OpenBSD/
    #USA (Piscanaway, NJ)
    #https://openbsd.mirror.constant.com/pub/OpenBSD/
    #USA (New York, NY)
    #https://ftp4.usa.openbsd.org/pub/OpenBSD/
    #USA (Rochesner, NY)
    #https://ftp.usa.openbsd.org/pub/OpenBSD/
    #USA (Dallas, TX)
    #https://mirror.esc7.net/pub/OpenBSD/

    Comments
    1. By anon (anonymouse) on

      You can also change https to http, or use cdn.openbsd.org, as this article says. Note that using anything other than a single URL in installurl is not supported and may cause problems.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]