Contributed by Peter N. M. Hansteen on from the intermediate solutions for intermediate problems dept.
Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.
The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.
However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.
While preparing, please do read
Let's Encrypt's advice,
and Stuart Henderson's sage
advice on
openbsd-misc@
.
From the latter:
[…] Try fetching it normally first, as a number of mirrors are either unaffected, or have a workaround on the server side, but if that fails you have two options: - edit /etc/installurl to allow you to fetch the syspatches. Either switch https to http (the updates are signed and verified anyway), or use another mirror (including ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). - locate the expired certificate in /etc/ssl/cert.pem and remove it, it is the one with this in the header above: === /O=Digital Signature Trust Co./CN=DST Root CA X3 […]
(The 6.8 and 6.9 -stable branches also have updates to remove the expired root certificate.)
(Comments are closed)
By chas (chas) chas@syro.org on
I just pulled all the ftp: and https: URLs for the United States and added them to my /etc/installurl file. I am pasting them here, in case other users from North America find this convenient.
I am (distance-wise) closest to the Illinois mirror, but that mirror does not work with the certificate expiry; an ftp: URL is required to update the certs.
I used the Boise ftp: mirror to run syspatch for the new certs, but a full run of pkg_add -u failed there with a connection limit error, in case anyone attempts it. The Dallas mirror let a full run of pkg_add complete.
It might be helpful for the installer populate the installurl file with the best mirrors, if it determines a country TLD.
#USA (San Francisco, CA)
#ftp://mirrors.sonic.net/pub/OpenBSD/
#USA (Boise, ID)
#ftp://mirrors.syringanetworks.net/pub/OpenBSD/
#USA (Cambridge, MA)
#ftp://mirrors.mit.edu/pub/OpenBSD/
#USA (New York, NY)
#ftp://ftp4.usa.openbsd.org/pub/OpenBSD/
#USA (Rochester, NY)
#ftp://ftp.usa.openbsd.org/pub/OpenBSD/
#USA (Dallas, TX)
#ftp://mirror.esc7.net/pub/OpenBSD/
#USA (San Francisco, CA)
#https://mirrors.sonic.net/pub/OpenBSD/
#USA (Boise, ID)
#https://mirrors.syringanetworks.net/pub/OpenBSD/
#USA (Arlington Heights, IL)
https://mirrors.gigenet.com/pub/OpenBSD/
#USA (Wesn Lafayette, IN)
#https://plug-mirror.rcac.purdue.edu/pub/OpenBSD/
#USA (Cambridge, MA)
#https://mirrors.mit.edu/pub/OpenBSD/
#USA (Piscanaway, NJ)
#https://openbsd.mirror.constant.com/pub/OpenBSD/
#USA (New York, NY)
#https://ftp4.usa.openbsd.org/pub/OpenBSD/
#USA (Rochesner, NY)
#https://ftp.usa.openbsd.org/pub/OpenBSD/
#USA (Dallas, TX)
#https://mirror.esc7.net/pub/OpenBSD/
Comments
By anon (anonymouse) on
You can also change https to http, or use cdn.openbsd.org, as this article says. Note that using anything other than a single URL in installurl is not supported and may cause problems.