OpenBSD pkg_add didn't work due to ocsp verify failed

created
( modified )
@nabbisen

What happened

Just after installing OpenBSD onto VirtualBox, I couldn’t use syspatch and pkg_add due to the error:

$ doas pkg_add -u 
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: TLS handshake failure: ocsp verify failed: ocsp response not current
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: TLS handshake failure: ocsp verify failed: ocsp response not current
https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty

Nevertheless ping cdn.openbsd.org was successful.

Solution

I modified /etc/installurl:

$ doas vi /etc/installurl

to switch to the FTP server:

- https://cdn.openbsd.org/pub/OpenBSD
+ https://ftp.openbsd.org/pub/OpenBSD

Then it turned successful.

$ doas pkg_add -u
quirks-4.54 signed on 2022-02-12T18:54:43Z
quirks-4.54: ok

Why happened (guess)

After a while (an hour), I reverted /etc/installurl:

- https://ftp.openbsd.org/pub/OpenBSD
+ https://cdn.openbsd.org/pub/OpenBSD

It didn’t bring any error:

$ doas pkg_add -u
quirks-4.54 signed on 2022-02-12T18:54:43Z

To my surprise, It may have been fixed over time. Apart from it, the first success may have done.

I guess it was because ntp status. I perhaps had never met the failure when installing OpenBSD onto physical server.

For information, the ntp status was below after the failure had been fixed:

$ doas ntpctl -s status
5/5 peers valid, constraint offset -32564s, clock unsynced, clock offset is -32561707.819ms

A sequel

I wrote a post about the real reason discovered a few days later.

Series

Virtualization
  1. OpenBSD pkg_add didn't work due to ocsp verify failed
  2. OpenBSD pkg_add didn't work due to incorrect system time

Comments or feedbacks are welcomed and appreciated.