Richard Bucker

OpenBSD Syspatch Pkg Update Tanked by Letsencrypt CA Expiration

Posted at — Oct 1, 2021

I fell into the post about the letsencrypt CA expiration Sept 30. I mentioned it to my team and effectively I was told I was smoking something. It was not the first time this post crossed my desk but maybe the first time I mentioned something.

FFWD to today, Oct 1, I was just wandering around my systems which I refer to my chickens in my chicken coop… as a backhanded nod to “cattle not pets”. I decided that my OpenBSD machines needed to be patched as there was one particular patch that arrived yesterday that I had not yet seen.

Some of the 4 of the 5 machines patched ok. The 4th failed.

https://ftp.openbsd.org/pub/OpenBSD/6.9/packages-stable/amd64/: TLS handshake failure: certificate verification failed: certificate has expired
https://ftp.openbsd.org/pub/OpenBSD/6.9/packages/amd64/: TLS handshake failure: certificate verification failed: certificate has expired
https://ftp.openbsd.org/pub/OpenBSD/6.9/packages/amd64/: empty

...

it was really wierd and it was becoming upsetting.

There is a file that tells the pkg tools which sewrver to connect to: /etc/installurl. Mine was pointing to the primary OpenBSD server… so it had to be OK. Really? Not! I tried to syspatch multiple times and nothing worked. I finally selected a host in the US. It worked. I went back and used my browser to locate the ftp site only to confirm that OpenBSD was using letsencrypt. The browser was updated so it worked and that’s when I noticed that the patch was a “cert” replacement.

With the certs patched and the install file reverted to Canada… all is well again and pkg_add -Uu worked just fine.

That which was not supposed to be a thing became a thing.