FreeBSD fetch(1) broken on SSL links?

I went to download Tarsnap on a FreeBSD 10.0-p12 machine, and got hit with this error:

# fetch https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz
Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
34380830376:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1179:
fetch: https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz: Authentication error

Looking at the last line of the error, you might think that Colin password-protected the Tarsnap source code. This would be extremely daft on his part, so I read on. But actually reading the message tells me that fetch(1) died because it couldn’t verify the Comodo RSA cert used on the Tarsnap web site.

Comodo has been around a long time. Why would their cert be invalid?

Second thought: Colin’s been hacked!

But no.

The third thought is the charm. Turns out that fetch in FreeBSD 10 validates SSL certificates–but doesn’t ship with an SSL root certificate! So, Colin hasn’t gone daft, or been hacked… but someone in the FreeBSD crew definitely increased my astonishment!

I installed the ca_root_cert package and created a symlink for fetch.

# ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Fetch now worked as I expected.

It does seem that if you’re going to validate SSL certs, you should either have a decent root cert bundle installed or print a helpful error message.

One Reply to “FreeBSD fetch(1) broken on SSL links?”

Comments are closed.