port cannot fetch because of expired cert, but cert is OK according to Safari, curl (question related to Mojave / Catalina)

Masha Vecherkovskaya mashavecher at gmail.com
Sun Nov 7 06:48:47 UTC 2021 

Hi.
Just out of interest I’ve tried to fetch nsd on my Mojave
Absolutely standard MacPorts installation
MacBook-Pro:~ mashavecher$ sudo port -d fetch nsd
Password:
DEBUG: Copying /Users/mashavecher/Library/Preferences/com.apple.dt.Xcode.plist to /opt/local/var/macports/home/Library/Preferences
DEBUG: Changing to port directory: /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/net/nsd
DEBUG: OS darwin/18.7.0 (macOS 10.14.6) arch i386
DEBUG: only one arch supported, so not adding the default universal variant
DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies
DEBUG: Finished running callback portconfigure::add_automatic_compiler_dependencies
DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies
DEBUG: Finished running callback portbuild::add_automatic_buildsystem_dependencies
DEBUG: Running callback portstartupitem::add_notes
DEBUG: Finished running callback portstartupitem::add_notes
DEBUG: Attempting ln -sf /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_net_nsd/nsd/work /opt/local/var/macports/sources/rsync.macports.org/release/tarballs/ports/net/nsd/work
DEBUG: dropping privileges: euid changed to 502, egid changed to 501.
DEBUG: Starting logging for nsd @4.2.1_2
DEBUG: macOS 10.14.6 (darwin/18.7.0) arch i386
DEBUG: MacPorts 2.7.1
DEBUG: Xcode 11.3.1
DEBUG: SDK 10.14
DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.14
DEBUG: Executing org.macports.main (nsd)
DEBUG: dropping privileges: euid changed to 502, egid changed to 501.
DEBUG: fetch phase started at Sun Nov  7 09:40:41 MSK 2021
--->  Fetching distfiles for nsd
DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.
DEBUG: dropping privileges: euid changed to 502, egid changed to 501.
DEBUG: Executing org.macports.fetch (nsd)
--->  nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd
--->  Attempting to fetch nsd-4.2.1.tar.gz from http://cph.dk.distfiles.macports.org/nsd
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1118k  100 1118k    0     0  3847k      0 --:--:-- --:--:-- --:--:-- 3858k
MacBook-Pro:~ mashavecher$ 

Maybe this could be helpful

Masha



On 7 November 2021 at 08:03:25, Kastus Shchuka (macports at tprfct.net) wrote:



> On Nov 6, 2021, at 7:53 PM, André-John Mas <andrejohn.mas at gmail.com> wrote:  
>  
> Does it make a difference if you test via sudo or your own user login?  
>  

Well, it won't work as regular user. Regular user does not have write permissions to /opt/local tree.  

On the other hand, it's plain dumb why it works for me. As you can see below, org.macports.fetch does not use HTTPS, it downloads over HTTP. Certificates are just irrelevant for that.  

I am not sure what part of macports.conf controls protocol for fetch, I have not modified that file since 2017. (I guess I should have done it). I looked at the diff between my macports.conf and macports.conf.default from May 2021, and I don't see anything with regards to http/https. I must be missing something there.  

Thanks,  

Kastus  

> André-John  
>  
> Sent from my phone. Envoyé depuis mon téléphone.  
>  
>> On 06 Nov 2021, at 22:08, Kastus Shchuka <macports at tprfct.net> wrote:  
>>  
>> Something does not add up here.  
>>  
>> High Sierra is older than Mojave, right? I can fetch sources of nsd on High Sierra without any problems:  
>>  
>> $ sudo port -d fetch nsd  
>> DEBUG: Copying /Users/pike/Library/Preferences/com.apple.dt.Xcode.plist to /opt/local/var/macports/home/Library/Preferences  
>> DEBUG: Changing to port directory: /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd  
>> DEBUG: OS darwin/17.7.0 (macOS 10.13.6) arch i386  
>> DEBUG: adding the default universal variant  
>> DEBUG: Reading variant descriptions from /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/variant_descriptions.conf  
>> DEBUG: Running callback portconfigure::add_automatic_compiler_dependencies  
>> DEBUG: Finished running callback portconfigure::add_automatic_compiler_dependencies  
>> DEBUG: Running callback portbuild::add_automatic_buildsystem_dependencies  
>> DEBUG: Finished running callback portbuild::add_automatic_buildsystem_dependencies  
>> DEBUG: Running callback portstartupitem::add_notes  
>> DEBUG: Finished running callback portstartupitem::add_notes  
>> DEBUG: Attempting ln -sf /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_net_nsd/nsd/work /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/nsd/work  
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.  
>> DEBUG: Starting logging for nsd @4.2.1_2  
>> DEBUG: macOS 10.13.6 (darwin/17.7.0) arch i386  
>> DEBUG: MacPorts 2.7.1  
>> DEBUG: Xcode 9.4.1  
>> DEBUG: SDK 10.13  
>> DEBUG: MACOSX_DEPLOYMENT_TARGET: 10.13  
>> DEBUG: Executing org.macports.main (nsd)  
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.  
>> DEBUG: fetch phase started at Sat Nov 6 19:00:42 PDT 2021  
>> ---> Fetching distfiles for nsd  
>> DEBUG: elevating privileges for fetch: euid changed to 0, egid changed to 0.  
>> DEBUG: dropping privileges: euid changed to 504, egid changed to 20.  
>> DEBUG: Executing org.macports.fetch (nsd)  
>> ---> nsd-4.2.1.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd  
>> ---> Attempting to fetch nsd-4.2.1.tar.gz from http://distfiles.macports.org/nsd  
>> % Total % Received % Xferd Average Speed Time Time Time Current  
>> Dload Upload Total Spent Left Speed  
>> 100 1118k 100 1118k 0 0 3557k 0 --:--:-- --:--:-- --:--:-- 3563k  
>> $ ls -l /opt/local/var/macports/distfiles/nsd  
>> total 2240  
>> -rw-r--r-- 1 macports wheel 1145713 Nov 6 19:00 nsd-4.2.1.tar.gz  
>>  
>> I have MacPorts installed from a package, I did not build it, so it is pretty much standard. Neither I did anything to the system certificate chain.  
>>  
>>> On Nov 6, 2021, at 5:43 AM, Ryan Schmidt <ryandesign at macports.org> wrote:  
>>>  
>>>  
>>>  
>>>> On Nov 6, 2021, at 05:39, Gerben Wierda wrote:  
>>>>  
>>>> I was looking at updating nsd (for which I am maintaining and it is high time)  
>>>>  
>>>> But fetching failed on macOS Mojave (where I have my MacPorts setup).  
>>>>  
>>>> :debug:fetch Executing org.macports.fetch (nsd)  
>>>> :info:fetch ---> nsd-4.3.8.tar.gz does not exist in /opt/local/var/macports/distfiles/nsd  
>>>> :notice:fetch ---> Attempting to fetch nsd-4.3.8.tar.gz from https://www.nlnetlabs.nl/downloads/nsd/  
>>>> :debug:fetch Fetching distfile failed: SSL certificate problem: certificate has expired  
>>>>  
>>>> Now, my main MacPorts dev/use machine is macOS Mojave so I suspect that is the Mojave-doesn’t-get-root-cert-updates problem. So, I tried to do a port fetch on Catalina, and there it works and the distribution is downloaded.  
>>>>  
>>>> It is strange, though, because Safari on both Catalina (other machine) and Mojave say the cert is fine. Still, it is most likely that this is a problem that comes from still using Mojave.  
>>>>  
>>>> Updating that machine will not happen until late December, so if I am to maintain anything MacPorts, I need a fix to get this working again.  
>>>>  
>>>> I have tried using curl on the Mojave machine, and that one works.  
>>>>  
>>>> So, Safari works, curl works, but port does not work.  
>>>>  
>>>> I tried copying /etc/ssl/cert.pem over to the Mojave machine, but that doesn’t work either.  
>>>  
>>> This is the "Let's Encrypt's old root certificate expired" problem described here:  
>>>  
>>> https://trac.macports.org/wiki/ProblemHotlist#letsencrypt  
>>>  
>>> When you said "curl works but port does not work" that's not quite right. /opt/local/bin/curl and /opt/local/lib/libcurl.dylib work. /usr/bin/curl and /usr/lib/libcurl.dylib (the latter of which MacPorts uses by default) do not work for Let's Encrypt-protected sites anymore.  
>>>  
>>> I, on High Sierra, have the same issue, and I have no solution for you. This issue affects High Sierra and Mojave. I recommend upgrading to Catalina or later; I plan to eventually.  
>>>  
>>> Well, you could rebuild MacPorts from source, instructing it to use a newer copy of libcurl with a newer copy of openssl or libressl that has a newer certificate bundle. For example, install a bootstrap copy of MacPorts in a separate prefix, install curl in that prefix, then rebuild your primary MacPorts from source, telling it to use the libcurl in the separate prefix. Any future upgrades to MacPorts base probably also have to be done from source; using "sudo port selfupdate" will not preserve your configure arguments and you'll be back to using the System's broken libcurl again.  
>>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211107/46804273/attachment.htm>

More information about the macports-users mailing list