NetBSD-current: Shared object "libssl.so.14" not found

Source

After switching to NetBSD-current in this VM (after xbd(4) was fixed to work with 4k sector size), no packages could be installed from pkgsrc:

$ cd /usr/pkgsrc/misc/cowsay
$ make
/usr/pkg/sbin/pkg_info: Shared object "libssl.so.14" not found
/usr/pkg/sbin/pkg_admin: Shared object "libssl.so.14" not found
/usr/pkg/sbin/pkg_admin: Shared object "libssl.so.14" not found
make: "/usr/pkg/sbin/pkg_admin -K ${_CROSS_DESTDIR}/usr/pkg/pkgdb
config-var PKGVULNDIR" returned non-zero status
[...]

/usr/pkg/sbin/pkg_admin: Shared object "libssl.so.14" not found
ERROR: This package has set PKG_FAIL_REASON:
ERROR: Circular dependency detected

Weird. Both the kernel and userland have been built and booted successfully, but why is it missing a library?

$ /usr/libexec/locate.updatedb
$ locate libssl
/usr/lib/i386/libssl.a
/usr/lib/i386/libssl_p.a
/usr/lib/libssl.a
/usr/lib/libssl_p.a
/usr/lib/pkgconfig/libssl.pc

And that was it. An old posting on current-users mentioned something similar and the solution was to grab base from an earlier release. And indeed:

$ curl -L -o base-head.tar.xz \
    https://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/latest/amd64/binary/sets/base.tar.xz

$ curl -L -o base-9.tar.xz \
    https://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/latest/amd64/binary/sets/base.tar.xz

$ tar -tJf base-head.tar.xz | grep usr/lib/libssl.so
./usr/lib/libssl.so
./usr/lib/libssl.so.15
./usr/lib/libssl.so.15.0

$ tar -tJf base-9.tar.xz | grep usr/lib/libssl.so
./usr/lib/libssl.so
./usr/lib/libssl.so.14
./usr/lib/libssl.so.14.0

When NetBSD 10 will be released, the pkgsrc repository will surely be updated. But until this happens, let's install libssl.so.14 from NetBSD 9:

# mkdir /usr/local
# tar --strip-components 2 -C /usr/local/ \
    -xvJf base-9.tar.xz usr/lib/libssl.so* lib/libcrypto.so*
x libcrypto.so
x libcrypto.so.14
x libcrypto.so.14.1
x lib/libssl.so
x lib/libssl.so.14
x lib/libssl.so.14.0

# mv /usr/local/libcrypto* /usr/local/lib/

Note: for some reason libssl is in /usr/lib while libcrypto is in /lib ¯\_( ツ )_/¯.

Add /usr/local/lib to ld.so.conf:

$ cat /etc/ld.so.conf
/usr/local/lib

Let's try the build now:

# make
=> Bootstrap dependency digest>=20211023: found digest-20220214
=> Fetching cowsay-3.04.tar.gz
=> Total size: 31961 bytes
FFFFFFFFFFFFFFFF:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate \
    verify failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1889:
ftp: Can't connect to `github.com:https'

We are still missing the CA certificates. There are actually two packages to choose from:

# ls -1d /usr/pkgsrc/*/*rootcert*
/usr/pkgsrc/security/mozilla-rootcerts
/usr/pkgsrc/security/mozilla-rootcerts-openssl

...but we will need the mozilla-rootcerts-openssl package here:

# cat /usr/pkgsrc/security/mozilla-rootcerts/DESCR
[...]
NB: This package provides certificates, but does not as a consequence
of installation place them in a location that makes them immediately
usable by SSL/TLS implementations.

# head -3 /usr/pkgsrc/security/mozilla-rootcerts-openssl/DESCR 
This package configures the Mozilla rootcerts bundle CAs as trust
anchors in OpenSSL, so that programs using OpenSSL will be able to use
them to validate SSL certificates.

# cd /usr/pkgsrc/security/mozilla-rootcerts-openssl
# make install
# make clean

With all that in place we are finally able to build packages. For example, we'd need curl, and doas so that we can build as non-root, and maybe pkgin so that we don't have to build at all :-)