Installing CA certificates on NetBSD

2014-08-27 10:05

Using SSL-aware programs which expect a CA certificate path on NetBSD (such as cURL, Git or Wget) without installing CA certificates will result in the following SSL certificate error messages.

Please note that this also happens when using pkgsrc on other systems, and the same installation instructions can be used.

cURL error message:

curl https://www.netbsd.org curl: ( 60 ) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority ( CA ) public keys ( CA certs ) . If the default bundle file isn 't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you' d like to turn off curl 's verification of the certificate, use the -k (or --insecure) option.

Git error message:

git clone https://github.com/jsonn/pkgsrc.git Cloning into 'pkgsrc' ... fatal: unable to access 'https://github.com/jsonn/pkgsrc.git/' : SSL certificate problem: unable to get local issuer certificate

Wget error message:

wget https://www.netbsd.org --2014-08-25 16:48:11-- https://www.netbsd.org/ Resolving www.netbsd.org ( www.netbsd.org ) ... 149.20.53.86, 2001:4f8:3:7:14::25 Connecting to www.netbsd.org ( www.netbsd.org ) |149.20.53.86|:443... connected. ERROR: cannot verify www.netbsd.org 's certificate, issued by ‘/C=US/O=GeoTrust, Inc./CN=RapidSSL CA’: Self-signed certificate encountered. To connect to www.netbsd.org insecurely, use `--no-check-certificate' .

In order to fix this issue, we need to install CA certificates distributed by the Mozilla Project (mozilla-rootcerts package), using either pkgsrc or pkgin:

Using pkgsrc:

cd /usr/pkgsrc/security/mozilla-rootcerts make install clean clean-depends

Using pkgin:

pkgin install mozilla-rootcerts

We can then extract and rehash all CA root certificates:

mozilla-rootcerts install

The combined certificate file will be created in /etc/ssl/certs, and we can now connect safely to secure endpoints.