Salt-bootstrap: FreeBSD 10.0 - fetch fails due to SSL
FreeBSD 10.0's fetch utility has changed from 9.x, it now defaults to check the ssl certificate, so this command fails:
root@fbsd-qa:~ # fetch -o - http://bootstrap.saltstack.org
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
fetch: http://bootstrap.saltstack.org: Authentication error
Fetch can either have this flag passed:
fetch --no-verify-peer -o - http://bootstrap.saltstack.org | sh
Or, you can set the environment variable SSL_NO_VERIFY_PEER=1
m87carlson
All 9 comments
Ah! Yes! This makes sense.
s0undt3ch
on 31 Jan 2014
@m87carlson Think I can ask you to edit the bootstrap script locally, rename all of _freebsd_9 occurrences to _freebsd_10 and run the script to see if the minion get's installed?
If's it's all good, let me know, or, you could also create a pull request which could have the *_freebsd_10* just call the *_freebsd_9* functions? This way the credit goes to you, as it should.
s0undt3ch
on 31 Jan 2014
You bet, I've tested that out and it seems to work just fine (created new
freebsd_10 functions that just call freebsd_9)
I'll create a pull request
On Thu, Jan 30, 2014 at 8:29 PM, Pedro Algarvio [email protected]:
@m87carlson https://github.com/m87carlson Think I can ask you to edit
the bootstrap script locally, rename all of _freebsd_9 occurrences to
_freebsd_10 and run the script to see if the minion get's installed?If's it's all good, let me know, or, you could also create a pull request
which could have the __freebsd_10_ just call the __freebsd_9_ functions?
This way the credit goes to you, as it should.
Reply to this email directly or view it on GitHubhttps://github.com/saltstack/salt-bootstrap/issues/290#issuecomment-33759053
.
m87carlson
on 31 Jan 2014
Awesome!
s0undt3ch
on 31 Jan 2014
Documentation should be updated as well, for example this line:
fetch -o install_salt.sh https://bootstrap.saltstack.com
sudo sh install_salt.sh
Should be:
fetch --no-verify-peer -o install_salt.sh https://bootstrap.saltstack.com
sudo sh install_salt.sh
Thanks!
amontalban
on 29 Aug 2014
Actually a better (and permanent) solution to this is to:
$ pkg install ca_root_nss
then, ln or cp the combined root certificates to /etc/ssl/cert.pem
e.g.
$ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
which installs the nss root certificates in a place where fetch(1) can find them.
Bypassing security is rarely a good solution.
deeprave
on 8 Oct 2014
Many thanks deeprave !
ghost
on 24 Dec 2014
Thanks! I'll update the docs with this info.
s0undt3ch
on 24 Dec 2014
This information is now on the readme file. Thanks!
s0undt3ch
on 27 Dec 2014
Related issues
jworl
路
4Comments
lsh-0
路
3Comments
nickgarber
路
14Comments
bewing
路
4Comments
afletch
路
9Comments
Most helpful comment
Actually a better (and permanent) solution to this is to:
$ pkg install ca_root_nss
then, ln or cp the combined root certificates to /etc/ssl/cert.pem
e.g.
$ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
which installs the nss root certificates in a place where fetch(1) can find them.
Bypassing security is rarely a good solution.