From owner-freebsd-questions@freebsd.org Tue Mar 26 13:45:42 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 042DD15535CD for ; Tue, 26 Mar 2019 13:45:42 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 468CA6BFD9 for ; Tue, 26 Mar 2019 13:45:39 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x2QDjQmO035977 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 26 Mar 2019 14:45:35 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: security/ca_root_nss missing Let's Encrypt X3 certificate To: Yasuhiro KIMURA , freebsd-questions@freebsd.org References: <20190326.195821.2023506369953085466.yasu@utahime.org> From: Andrea Venturoli Message-ID: <2ed32cc3-ab80-7a0c-58c2-152bee067f7a@netfence.it> Date: Tue, 26 Mar 2019 14:45:26 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: <20190326.195821.2023506369953085466.yasu@utahime.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 468CA6BFD9 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [2.73 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.77)[0.768,0]; IP_SCORE(0.12)[ip: (0.39), ipnet: 2.44.0.0/16(0.20), asn: 30722(-0.05), country: IT(0.05)]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; DMARC_NA(0.00)[netfence.it]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.75)[0.755,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx.netfence.it]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.20)[0.199,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 13:45:42 -0000 On 3/26/19 11:58 AM, Yasuhiro KIMURA wrote: > What server application you use? I use Let's Encrypt certificates in Apache's HTTPd, sendmail, cyrus-imap, etc... However, this is not relevant here: I'm talking about FreeBSD as a client and not necessarily connecting to "my" servers. > Let's Encrypt Authority X3 is signed by DST Root CA X3. Ok. > And DST Root CA X3 is included in security/ca_root_nss. Right again: I did not notice this. > So if you configured server application > properly it should be able to use server sertificates issued by Let's > Encrypt. Again, it's not a server problem, but rather a client program. It works now, even if I didn't change anything!!! I don't know what happened really... several sites were not working, but they are reachable again. Thanks anyway and sorry for the noise! bye av.