OpenBSD pkg_add didn't work due to incorrect system time

nabbisen - Feb 18 '22 - - Dev Community

Summary

I met errors on pkg_add and syspatch just after installing OpenBSD on VirtualBox the other day.
They were printed as TLS handshake failure and I solved by modifying /etc/installurl.
However, I didn't know what actually it happened and why.

I Finally found it had been because of wrong time of the machine thanks to kind comments from @yoshi_kaw (Yoshihiro Kawamata). He is a developer of FuguIta (河豚板) OS , a lightweight live system based on OpenBSD.

The point is that it fixes the TLS handshake failure to correct the system time. There are a few ways:

  1. Run rtime to NTP server (temporarily, for required every time)
  2. Configure motherboard on VirtualBox VM
  3. Set kern.utc_offset in /etc/sysctl.conf
    • Alternative to 2.

Course of events and description

Creating VM

I started up VirtualBox and create a new VM and attached OpenBSD ISO to it.
Then I installed OpenBSD following the installer.

Well, my setting on timezone was:

What timezone are you in? ('?' for list) [Asia/Tokyo]
Enter fullscreen mode Exit fullscreen mode

Then, I was asked after files copied:

Time appears wrong. Set to 'Fri Feb 17 23:50:51 JST 2022'? [yes]
Enter fullscreen mode Exit fullscreen mode

Here, neither "yes" nor "no" did work...πŸ˜…

TLS handshake failure

Just after it, I started the new system. In the VM, unfortunately, both syspatch and pkg_add returned the error below:

$ doas pkg_add -u 
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: TLS handshake failure: ocsp verify failed: ocsp response not current
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: TLS handshake failure: ocsp verify failed: ocsp response not current
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty
Enter fullscreen mode Exit fullscreen mode

Nevertheless ping was successful:

$ ping cdn.openbsd.org
ping cdn.openbsd.org
PING cdn.openbsd.org ((...)): 56 data bytes
64 bytes from (...): icmp_seq=0 ttl=254 time=76.429 ms
64 bytes from (...): icmp_seq=1 ttl=254 time=45.498 ms
^C
--- cdn.openbsd.org ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 45.498/60.964/76.429/15.465 ms
Enter fullscreen mode Exit fullscreen mode

How wrong the time was

Here, I printed the system date and time.

$ date
Fri Feb 18 08:51:52 JST 2022
Enter fullscreen mode Exit fullscreen mode

No way. It was night on Feb 17. It seemed set 9 hours fast.

How to fix it

rdate (temporarily)

How could I correct it? rdate! I used time.cloudflare.com, NTP server provided by CloudFlare, a company building "a global network designed to make everything you connect to the Internet secure, private, fast, and reliable".

$ rdate time.cloudflare.com
Thu Feb 17 23:51:28 JST 2022
Enter fullscreen mode Exit fullscreen mode

Then I checked again.

$ date
Thu Feb 17 23:51:53 JST 2022
Enter fullscreen mode Exit fullscreen mode

Yay, fixed.
Now both pkg_add and syspatch will end up with success.

Configure motherboard on VirtualBox VM

As to this issue, rdate has a problem. You have to run it every time you boot up. It's really inconvenient.

Check "Hardware Clock in UTC Time" as below, and it'll be fixed permanently!

configure motherboard on system time

(Optional) Set kern.utc_offset in /etc/sysctl.conf

It is an alternative way to configure vm. Configure kernel instead.

Create /etc/sysctl.conf and write the below in it:

kern.utc_offset=540
Enter fullscreen mode Exit fullscreen mode

Then reboot. You'll see the system information modified:

kern.utc_offset: 0 -> 540
Enter fullscreen mode Exit fullscreen mode

kernel utc offset changed

Fixed

Then, happily, pkg_add and syspatch finished successfully.

$ doas pkg_add -u
quirks-4.54 signed on 2022-02-16T11:41:33Z
quirks-4.54: ok

$ doas syspatch
Enter fullscreen mode Exit fullscreen mode

Conclusion

At the first steps in TLS handshake, client sends CliendHello to server, and server replies ServerHello.
Here, incorrect system time of client resulted in failure saying "ocsp verify failed: ocsp response not current". It is because CA (Certificate Autorities) cannot verify server certificate at the future time. (OCSP means Online Certificate Status Protocol.)

It is possible to fix it to configure system time via VM settings or kernel conf. Also, running rdate to your NTP server is useful temporarily.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .