From owner-freebsd-ports@freebsd.org Sun Jun 4 21:48:05 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5752FBF06A2 for ; Sun, 4 Jun 2017 21:48:05 +0000 (UTC) (envelope-from saper@saper.info) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 39F0425AA for ; Sun, 4 Jun 2017 21:48:05 +0000 (UTC) (envelope-from saper@saper.info) Received: by mailman.ysv.freebsd.org (Postfix) id 359A2BF06A0; Sun, 4 Jun 2017 21:48:05 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 353F7BF069F for ; Sun, 4 Jun 2017 21:48:05 +0000 (UTC) (envelope-from saper@saper.info) Received: from m.saper.info (m.saper.info [IPv6:2a01:4f8:a0:7383::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "saper.info", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAEC325A8 for ; Sun, 4 Jun 2017 21:48:04 +0000 (UTC) (envelope-from saper@saper.info) Received: from m.saper.info (saper@m.saper.info [IPv6:2a01:4f8:a0:7383::]) by m.saper.info (8.15.2/8.15.2) with ESMTPS id v54Lm2aR039303 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 4 Jun 2017 21:48:02 GMT (envelope-from saper@saper.info) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=saper.info; s=Sep2014; t=1496612883; bh=356Dj46Ct5CxJGmu/miPrS8s2PMwhpQDO8PUqoRQgsU=; h=Date:From:To:Subject:In-Reply-To:References; b=Xe0WE4vi/OPuYwGXK48HzY6nVWfO6uoE2TnIFvFzdNUglyJY5kF0gBT3r4+gJPHRb 64IqY7QyCUoEDCxgLh46Jy55PRFQcDH2EBodsl2MY7HLarI+5Jiok1DTX0kVQAwq8o DeIUDiMVI6lt/mQR6yAnurGkclWF2pbEAGxoNbYI= Received: from localhost (saper@localhost) by m.saper.info (8.15.2/8.15.2/Submit) with ESMTP id v54Lm2Al039300 for ; Sun, 4 Jun 2017 21:48:02 GMT (envelope-from saper@saper.info) X-Authentication-Warning: m.saper.info: saper owned process doing -bs Date: Sun, 4 Jun 2017 21:48:02 +0000 From: Marcin Cieslak To: ports@FreeBSD.org Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? [somehow solved] In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="1563967779-587564354-1496612882=:19072" X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jun 2017 21:48:05 -0000 --1563967779-587564354-1496612882=:19072 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8BIT On Thu, 1 Jun 2017, Marcin Cieslak wrote: > => Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz > Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264: > fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error My temporary solution to this problem is to pin the CA certificate in the port itself: commit 7eec5787c09565b0b2dfc4b2cee176c8509474b2 Author: Marcin Cieślak Date: Sun Jun 4 21:31:22 2017 +0000 Hardwire CA certificate to facilitate HTTPS downloads Ports do not have a public key infrastructure to facilitate ports that need to be fetched using https only. So we hardcode a root certificate used by Let's Encrypt for now. diff --git a/shells/ksh93/Makefile b/shells/ksh93/Makefile index 10f826c..c1ddef2 100644 --- a/shells/ksh93/Makefile +++ b/shells/ksh93/Makefile @@ -24,7 +24,7 @@ LICENSE= EPL OPTIONS_DEFINE= EXAMPLES STATIC -FETCH_ENV= HTTP_AUTH=basic:*:I\ accept\ www.opensource.org/licenses/cpl:. +FETCH_ARGS+= --ca-cert="${FILESDIR}/dst_root_ca_x3.crt" LDFLAGS+= -lm MAKE_ENV= CCFLAGS="${CFLAGS}" NO_WRKSUBDIR= yes diff --git a/shells/ksh93/files/dst_root_ca_x3.crt b/shells/ksh93/files/dst_root_ca_x3.crt new file mode 100644 index 0000000..e2bd36f --- /dev/null +++ b/shells/ksh93/files/dst_root_ca_x3.crt @@ -0,0 +1,22 @@ +subject=/O=Digital Signature Trust Co./CN=DST Root CA X3 +issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3 +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- https://github.com/saper/ports-exp/commit/7eec5787c09565b0b2dfc4b2cee176c8509474b2 --1563967779-587564354-1496612882=:19072 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIIOSwYJKoZIhvcNAQcCoIIOPDCCDjgCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgggqQMIIElzCCA3+gAwIBAgIOSBtqCKJEiNNcmz3JSA0w DQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp Z24wHhcNMTYwNjE1MDAwMDAwWhcNMjQwNjE1MDAwMDAwWjBdMQswCQYDVQQG EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xv YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIFNIQTI1NiAtIEczMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrCba00KOKyGuwh9h+/MAcZm ZUF9OxGKA56AADHaDE08rB0WEbgm6J4XvJP3OGQ7cgHdVJu6XMZkRd6EcfjD yRrIwE6oAVWJe57co3gKk/XxvuubSZuUahrcOiv3D2qaHwva4zumubxQQI4f unEzRIJHPiNjaq0cCcZsMcp5pxsEz8aG0sr8Oh80sxKNnzPmuUETLESktfMC pQKHUGmWXLsG6sgCZOezUjDjKpPKW7l4PUt0TEBEyqLhifv9/YPn5C4o10PP daDazZPeKNif2PVQ5u0HRnkFrHh4wmmrMtY22Mse3eR01gD6rEEGWf+gdzuy EQE+ZVlNhCP4gXjdBQIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMCcG A1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwkwEgYDVR0T AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlifCwqX3HPgCenpkr2NvMtKYwrEw HwYDVR0jBBgwFoAUj/BLf6guRSSuTVD6Y5qL3uLdG7wwPgYIKwYBBQUHAQEE MjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v cm9vdHIzMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2ln bi5jb20vcm9vdC1yMy5jcmwwWQYDVR0gBFIwUDALBgkrBgEEAaAyASgwQQYJ KwYBBAGgMgFfMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNp Z24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCxh3ekjKKy RrUdfI6D1U7qUggdFLksiU+KiIqJzJG6GXcQ2KiBy2tF3+KYb0IixXMpIVli VXlcD5Vh4tiMxJ4WONMFt3f7/53gSXLf24WMwErubc+mGMzgUGE5HKC98PcK UV/5pPggQdzPxCBNeiXnLU1tCGYhPatFTDhUBGaVhBeuUCbgR9gpXJ9guqrD OVwouKvovdIeI5KEAcoAAiSL6naeLk/GbKUaBFa2RxXC17e+YyBWtWlWDEM3 1V8pUIx76lkO8IJYREhLcg/LnyoYy5wcrzI6pbX2vw1x/jR3GHSC1AEdoqbE xui2XLLlSa6y9yQNgdkPz7GTLmpwIT+dMIIF8TCCBNmgAwIBAgIMGk4Oe/1h 2+wMOby/MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIFBlcnNv bmFsU2lnbiAxIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwNTI1MDg0NDE2WhcN MjAwNTI1MDg0NDE2WjA8MRkwFwYDVQQDDBBzYXBlckBzYXBlci5pbmZvMR8w HQYJKoZIhvcNAQkBFhBzYXBlckBzYXBlci5pbmZvMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEA2sO3aQNus/oe4ZBZ4fu1Y1mzxnUYAkb4k/dw gMFc2Kd0eRoOY0AHj4rTEi/vVzzizxjLbEwXzQ9cBEAu/PqS8WsOmhZXtlfi szPDmP7ZpOwmNTWKSd9O7jHu9uTCGfEOsocQNYH2ULD1gVFkgKb8jHf+3u9d uCzh6qMomTtwLrCGEP70Lq385xUzRaD6qbOeIB99tpzgvMR6Z0GPTt4z8tLM kfdtohq5llwZ5vYnj/hJohVS9iLMQMHW4nuLj/mLZNaYE1CWJBT1rBwn5YPJ uR6811O9eAP7aX4iG8k1jkiBh+QNgGRBIK4GIdqy7IVRhA7v2OlpLYHMk4zP 9Fs3M+56QromVKBnxfzLhuYMUK6ugj9jwskNVitqlEFUeyfgvmR1jnPRp1Nd XGJllTNwGicR8wkaRj14RxfrvTZfwXs8OBODKFupqun/tNzdpOgyHMGQACss 9yv2SnLGCJvJK3rGIdRZEiUhLZH/Ct4L92dBhev+SjUqWKbHb4yIlGMgLdoh nwqatuWw7iyOeInjcinX7ghiIKDWhulUN493Fzl6kaUBtIIcrb7jzZ2pHAQT WUmuVnCTHk6NtoWB09lvuK77fw4GfxLWDFWkBQiJYPVBrmxlrkCKzrWdTMfS W9BiEC10jT1sSimUBIjDz22RkfsApeBJoAIWjiOZogILu9MCAwEAAaOCAdAw ggHMMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYB BQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz cGVyc29uYWxzaWduMXNoYTJnM29jc3AuY3J0MD0GCCsGAQUFBzABhjFodHRw Oi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24xc2hhMmcz MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAw RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n c3BlcnNvbmFsc2lnbjFzaGEyZzMuY3JsMBsGA1UdEQQUMBKBEHNhcGVyQHNh cGVyLmluZm8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBReBINaGUKUo7HCrIjsKLKERu6ooTAfBgNVHSMEGDAWgBSWJ8LCpfcc +AJ6emSvY28y0pjCsTANBgkqhkiG9w0BAQsFAAOCAQEAC0VK968ySq/6B+Kd ecjVThQOKtVXuG17Krfk0xz7OPYR/V+qZtBFm2Uc6tkUEmAmq3Tyf+SE3TTX Q58eJFq0uCTUhIY714ioJs1uVWBz8rPyJ3swkOfDaUXUxkQsBsf73VfKjUk4 kB5MTrApLYUe35NmEY3FqyyX13elhW1tp864vOKM2Git61cYoRn/bwd/z2JM Zkxwkd5JgvmM+p4Da+WO4CUsGzdrZEH8X/8NQIzWtUDIh7VEQZFX5fot/KvH Am8AajtpmNqTfMyg6LfcfJUXSFqXn/KEWu4Td62vX6Pd70dYKUZxnLwYvGqG A4Ktrp9zyrUzxLbmdaPln7CstjGCA38wggN7AgEBMG0wXTELMAkGA1UEBhMC QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2Jh bFNpZ24gUGVyc29uYWxTaWduIDEgQ0EgLSBTSEEyNTYgLSBHMwIMGk4Oe/1h 2+wMOby/MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDYwNDIxNDgwMlowLwYJKoZIhvcN AQkEMSIEIHoLpUgbq8Tjtv3CraA/QYixEiPHuMnMPv3l42BZv633MHkGCSqG SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIC AMyn8a910eIc1N6Ioz06FPfAX+dXRaOM1pp2dj5gxP9KVnbIWq/n+CuRgycV iejhSqjLOE13lhLx4lszspo08f+8Khx2+88K7h0Qdn6AOsFV8NLEb1KzwrTU O6KrHepS6K1eFFK/tuw6ntXbzCN9zIcbwnGaCML6/UiPxFdgKhpFkIfHHOqG 30v7VTfMTOpEEiUpzrOCsUQMoXIcHCjKVRPhNE8aqHKduvpkNSQG26AkCeff ZcZp1RpomzScf9TYTKHbM4Jl26xyW4kgpGG4EMokeZkcRACbsIfkS84rJrh1 MbqQrw+jQN9J6PkDSElApRArI/BODFgB88jFZQ3YbobLQUDbZ3+YUcYWfOSy C1R1Y11QyENIn6X+nUj40rP2Yl/XD6OGjRRNS7Hn8MXsm83o8zV4R02hzc1Z Q8FCwx1/eNkllpP3m9ykfrrhe7iBUfmvQd1Hp6djzyMQjDwJ+1Yykuo/dtrL vnWbq3AtjSBPbrTv7T9BsikaDz2jVbd4/s4miQ8bhVrB9yEYGFaKJxiYcM2W QvBPDb9bgwEW+wn4q6ycHWFUBXn5qIHpDFDFTfmbinbNMvR0zidANzWSZq8d ZiYV2vIT84J4HzqiCNilM7a186A5h0BkscCg+AP7r3mFnc9A4EBuRsGMGJ4b O0c98wof/QSHXDlzu6hLh08a --1563967779-587564354-1496612882=:19072--