Installing CA certificates on NetBSD

Frederic Cambus August 27, 2014 [NetBSD]

Using SSL-aware programs which expect a CA certificate path on NetBSD (such as cURL, Git or Wget) without installing CA certificates will result in the following SSL certificate error messages.

Please note that this also happens when using pkgsrc on other systems, and the same installation instructions can be used.

cURL error message:

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Git error message:

git clone
Cloning into 'pkgsrc'...
fatal: unable to access '': SSL certificate problem: unable to get local issuer certificate

Wget error message:

--2014-08-25 16:48:11--
Resolving (, 2001:4f8:3:7:14::25
Connecting to (||:443... connected.
ERROR: cannot verify's certificate, issued by ‘/C=US/O=GeoTrust, Inc./CN=RapidSSL CA’:
  Self-signed certificate encountered.
To connect to insecurely, use `--no-check-certificate'.

In order to fix this issue, we need to install CA certificates distributed by the Mozilla Project (mozilla-rootcerts package), using either pkgsrc or pkgin:

Using pkgsrc:

cd /usr/pkgsrc/security/mozilla-rootcerts
make install clean clean-depends

Using pkgin:

pkgin install mozilla-rootcerts

We can then extract and rehash all CA root certificates:

mozilla-rootcerts install

The combined certificate file will be created in /etc/ssl/certs, and we can now connect safely to secure endpoints.