Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 817914 - bootstrap-prefix.sh: curl fails to fetch from LetsEncrypt based https source on Mac OS High Sierra
Summary: bootstrap-prefix.sh: curl fails to fetch from LetsEncrypt based https source ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo/Alt
Classification: Unclassified
Component: Prefix Support (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Prefix
URL: https://letsencrypt.org/docs/dst-root...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-13 01:31 UTC by Göktürk Yüksek
Modified: 2022-07-19 15:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Göktürk Yüksek archtester gentoo-dev 2021-10-13 01:31:36 UTC 
I just started a build on a 2011 Macbook Air with Mac OS High Sierra. Fetching of libressl fails with:

  curl -f -L -O https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4.tar.gz
  curl: (60) SSL certificate problem: certificate has expired

Given it managed to compile make, sed etc. I'm guessing it's hitting the LetsEncrypt DST Root CA X3 Expiration (September 2021) issue. I just replaced https with http and bumped it to 3.2.7 in the meantime.

What's worse, I think, is that the script moves on with this failure and compiles wget without SSL support because libressl doesn't exist. When it tries to download xz, even though the URI is http, the upstream redirects it to https, wget bails out saying that SSL support isn't compiled, any you're stuck in a perpetual cycle of not being able to download xz:

wget http://distfiles.prefix.bitzolder.nl/prefix/distfiles/xz-5.2.4.tar
--2021-10-12 21:08:36--  http://distfiles.prefix.bitzolder.nl/prefix/distfiles/xz-5.2.4.tar
Resolving distfiles.prefix.bitzolder.nl... 45.95.64.8
Connecting to distfiles.prefix.bitzolder.nl|45.95.64.8|:80... connected.
HTTP request sent, awaiting response... 302 Look Elsewhere
Location: https://distfiles.prefix.bitzolder.nl/prefix/distfiles/73/xz-5.2.4.tar [following]
https://distfiles.prefix.bitzolder.nl/prefix/distfiles/73/xz-5.2.4.tar: HTTPS support not compiled in.

I wonder if it's a better idea to modify the efetch logic so that it skips wget if SSL support isn't compiled in.
Comment 1 Fabian Groffen gentoo-dev 2021-10-13 06:30:24 UTC 
I could have distfiles.p.b.n not redirect to https when the source wasn't https.  Hmmm...
Comment 2 Larry the Git Cow gentoo-dev 2022-06-30 18:19:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=7794c9a763b6b627dc6b28530a2a5c7659209a70

commit 7794c9a763b6b627dc6b28530a2a5c7659209a70
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-06-30 18:19:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-06-30 18:19:09 +0000

    bootstrap-prefix.sh: bump LibreSSL
    
    Bug: https://bugs.gentoo.org/817914
    Signed-off-by: Sam James <sam@gentoo.org>

 scripts/bootstrap-prefix.sh | 2 ++
 1 file changed, 2 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-06-30 18:19:54 UTC 
(Bumped LibreSSL at least as it was overdue, although not strictly related.)
Comment 4 Fabian Groffen gentoo-dev 2022-07-19 15:46:06 UTC 
I bootstrapped on High Sierra 2 days ago, it did encounter some CA issues, but its interactions with prefix.b.n were OK cert-wise (I've updated the cert to use the new root).

I'm hoping this is sorted now.