# Invalid signature after upgrade from 10.2 to 10.3



## gariac (Sep 15, 2016)

I have a similar problem as in this thread:
https://forums.freebsd.org/threads/52013/
after doing an upgrade from 10.2 to 10.3. I added my question to that thread, but I think that there is a "sovled" flag by it means no one is reading my addition. While the thread I referenced has a solution, it is specific rather than universal. That is, I don't know where to find similar files to the thread.

Here is the error message. Also all the information requested in the other thread is presented here specific to my installation.


```
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update3.freebsd.org... invalid signature.
Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... invalid signature.
Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... invalid signature.
Fetching metadata signature for 10.3-RELEASE from update4.freebsd.org... invalid signature.
No mirrors remaining, giving up.
```


```
# uname -a
FreeBSD theranch 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #0: Thu Aug 11 18:38:15 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


```
# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... 7 mirrors found.
Fetching snapshot tag from your-org.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from sourcefire.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from ec2-ap-northeast-1.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from ec2-ap-southeast-2.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from ec2-sa-east-1.portsnap.freebsd.org... invalid snapshot tag.
Fetching snapshot tag from isc.portsnap.freebsd.org... failed.
No mirrors remaining, giving up.
```


```
# /usr/bin/openssl version
34379283160:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:345:line 1
```


```
# file /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.3, stripped
```


```
# ldd /usr/bin/openssl
/usr/bin/openssl:
        libssl.so.7 => /usr/lib/libssl.so.7 (0x800897000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x800b03000)
        libc.so.7 => /lib/libc.so.7 (0x800ef9000)
```

I also have openssl installed for my email:

```
# ls -l openssl
-rwxr-xr-x  1 root  wheel  627462 Sep 12 07:39 openssl
# pwd
/usr/local/bin

# file /usr/local/bin/openssl
/usr/local/bin/openssl: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.2, not stripped

# ldd /usr/local/bin/openssl
/usr/local/bin/openssl:
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x8008a1000)
        libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800b0b000)
        libthr.so.3 => /lib/libthr.so.3 (0x800f18000)
        libc.so.7 => /lib/libc.so.7 (0x80113d000)
```

Whatever solution is proposed, I really don't want my email broken. When I did the upgrade from 10.2 to 10.3, libressl somehow got installed and it broke everything, causing about two hours of debugging and repairs.


----------



## SirDice (Sep 16, 2016)

Looking at the first error (missing equal sign) it might be caused by an error in /etc/ssl/openssl.cnf. Did you check that file for obvious errors? Also try (re)installing security/ca_root_nss and removing the contents of /var/db/freebsd-update/.


----------



## kpa (Sep 16, 2016)

In my opinion freebsd-update(8) should force the default configuration on OpenSSL components it uses and ignore the OpenSSL configuration file altogether.


----------



## gariac (Sep 17, 2016)

SirDice said:


> Looking at the first error (missing equal sign) it might be caused by an error in /etc/ssl/openssl.cnf. Did you check that file for obvious errors? Also try (re)installing security/ca_root_nss and removing the contents of /var/db/freebsd-update/.



Here is the result from the ca_root_nss make:

```
You have security/openssl installed but do not have DEFAULT_VERSIONS+=ssl=openssl set in your make.conf

===>  License MPL accepted by the user
===>  Found saved configuration for ca_root_nss-3.26
===>   ca_root_nss-3.26 depends on file: /usr/local/sbin/pkg - found
=> nss-3.26.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://download.cdn.mozilla.net/pub/security/nss/releases/NSS_3_26_RTM/src/nss-3.26.tar.gz
nss-3.26.tar.gz                               100% of 7213 kB   18 MBps 00m00s
===> Fetching all distfiles required by ca_root_nss-3.26 for building
===>  Extracting for ca_root_nss-3.26
=> SHA256 Checksum OK for nss-3.26.tar.gz.
===>  Patching for ca_root_nss-3.26
===>   ca_root_nss-3.26 depends on package: perl5>=5.20<5.21 - found
===>  Configuring for ca_root_nss-3.26
===>  Building for ca_root_nss-3.26
##  Untrusted certificates omitted from this bundle: 20
34379283160:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:345:line 1
openssl x509 failed with exit code 256 at /usr/ports/security/ca_root_nss/work/MAca-bundle.pl line 78.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/ca_root_nss
*** Error code 1
```

I wiped out the /var/db/freesb-update directory. (I zipped it to be safe). No difference. The openssl.conf looks ok. Now note I have two installations of openssl. The person who helped me set up my email came up with this. This directory listing with symbolic links may be useful:


```
# pwd
/usr/local/openssl
# ls -l
total 1968
-rw-r--r--  1 root  wheel  941124 Aug  9 01:50 cert.pem
lrwxr-xr-x  1 root  wheel      38 Aug  9 01:50 cert.pem.sample -> /usr/local/share/certs/ca-root-nss.crt
drwxr-xr-x  2 root  wheel     512 Sep 12 07:39 certs
drwxr-xr-x  2 root  wheel     512 Sep 12 20:24 misc
lrwxr-xr-x  1 root  wheel      20 Jul  6  2015 openssl.cnf -> /etc/ssl/openssl.cnf
-rw-r--r--  1 root  wheel   10835 Sep 12 07:39 openssl.cnf.sample
drwxr-xr-x  2 root  wheel     512 Sep 12 07:39 private
```

The /etc directory has no symbolic links relative to openssl.



```
# which openssl
/usr/bin/openssl

# cd /usr/local
# ls
bin                             libdata                         openssl
bootstrap-openjdk               libexec                         pgsql
bsd-cloudinit                   llvm36                          sbin
etc                             llvm37                          share
go                              man                             src
include                         my.cnf                          var
info                            openjdk7                        www
lib                             openjdk8                        x86_64-portbld-freebsd10.1
```


----------



## gariac (Sep 19, 2016)

Geez I'm a repeat idiot. The same problem I had with the merge markers the last time (see older forum link). 

What exactly should I be doing with these merge markers? Commenting them out made the problem go away. Which lines are needed. For instance, the #$FreeBSD line is a comment, but maybe the merge reads it. I'd like to figure this out once and for all and not be a repeater offender!

https://forums.freebsd.org/threads/54234/ 

```
# vi openssl.cnf
#<<<<<<< current version
#<<<<<<< current version
#=======
=======
# $FreeBSD: releng/10.3/crypto/openssl/apps/openssl.cnf 238405 2012-07-12 19:30:53Z jkim $
#>>>>>>> 10.3-RELEASE
#
```
I didn't exactly follow the instructions here, reading them. Yeah, I know, not your post, but it might be useful for people doing google searches.
https://www.digitalocean.com/community/tutorials/how-to-upgrade-freebsd-from-version-10-2-to-10-3


----------

