From owner-freebsd-questions@FreeBSD.ORG Sun Mar 8 18:26:07 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5C96DF7 for ; Sun, 8 Mar 2015 18:26:07 +0000 (UTC) Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9C0EDFBE for ; Sun, 8 Mar 2015 18:26:07 +0000 (UTC) Received: by igal13 with SMTP id l13so15664982iga.0 for ; Sun, 08 Mar 2015 11:26:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=R4CjVYluhXLRK9fcrZln07KNmmTEQ8+Y/7fIyA6rXk4=; b=TM4rrQKp7/8BONHOQkAPmHJFmbNtSywOns5SOxAzySu0FKr799Zye5q0DknJNQAFno 0wexR/irz2sua84yHF9lfOhMS6LoplZZ/OxSI3cNBPEoS+VoZyxp63LkIke1X6cQ+50P /PBZmc1GSder9VD+JDJM8dtDLsSwdthMggK+FgDsB5fzdxrmuc/Xxr9Fx95QQ6l7hkFh EFJpC0MCBVAxqckflAfbUNFX3qQMDJNUiOD2oHVcOriLB/noWaU7gTZ0SKmM4M/0e6SM IsinfUpMlJ8BTy21iFC2otolkG/m9ZvduXomk93jLb/lFqVH0uCeWnPnAV70qVBfEWwR plWQ== MIME-Version: 1.0 X-Received: by 10.50.142.106 with SMTP id rv10mr42402320igb.18.1425839167012; Sun, 08 Mar 2015 11:26:07 -0700 (PDT) Received: by 10.64.223.110 with HTTP; Sun, 8 Mar 2015 11:26:06 -0700 (PDT) Date: Sun, 8 Mar 2015 19:26:06 +0100 Message-ID: Subject: Adding a root CA cert on FreeBSD10 From: Florian Heigl To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2015 18:26:08 -0000 Hi, I'm trying to identify how and where to add a trusted root certificate in FreeBSD10. Doing so used to be dead easy on FreeBSD until now, just drop them in /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. This seems to be no longer true? I'm working with CACert or "private" CAs in many cases, so this is a standard thing. Right now I'm pulling my hair how to make it work in FreeBSD 10. What I want: - openssl s_client -connect to work I'm aware different tools are using different methods, but i.e. curl on many OS is tamed to respect the openssl CAs so I figure once openssl is happy it should be all good. But OpenSSL ain't happy: # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain verify return:0 issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org Verify return code: 19 (self signed certificate in certificate chain) I've put the CACert certificates in the following places, to no avail: /etc/ssl/certs/cacert-class3.crt /etc/ssl/certs/cacert-root.crt /usr/local/etc/ssl/cacert-root.crt /usr/local/etc/ssl/certs/cacert-root.crt /usr/local/etc/ssl/certs/cacert-class3.crt /usr/local/etc/ssl/cacert-class3.crt /usr/local/etc/openssl/cacert-class3.crt /usr/local/etc/openssl/cacert-root.crt /usr/local/etc/openssl/certs/cacert-class3.crt /usr/local/etc/openssl/certs/cacert-root.crt I've not tried to patch them into the OS-side CA bundles like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be lost on update of the package. Is there any documentation regarding certs that is _working_ on FreeBSD10? I'm so far still inclined the error is on my side, but without current documentation it's hard to tell. Florian (I hope we didn't inherit another shitty linux mechanism like hal, update-ca-certs or resolvconf to break proven functionality. If so, please let me know what it is and I'll gladly open a PR to name it a regression. Also, please excuse my lack of enthusiasm, but this has ruined much of my day meaning the coming week will also be ruined, trying to catch up) -- the purpose of libvirt is to provide an abstraction layer hiding all xen features added since 2006 until they were finally understood and copied by the kvm devs.