From owner-freebsd-questions@freebsd.org  Tue Mar 26 15:10:25 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 387931555C16
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue, 26 Mar 2019 15:10:25 +0000 (UTC)
 (envelope-from phascolarctos@protonmail.ch)
Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.protonmail.ch",
 Issuer "SwissSign Server Silver CA 2014 - G22" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 12A1A6FE00
 for <freebsd-questions@freebsd.org>; Tue, 26 Mar 2019 15:10:22 +0000 (UTC)
 (envelope-from phascolarctos@protonmail.ch)
Date: Tue, 26 Mar 2019 15:10:05 +0000
To: FreeBSD Questions <freebsd-questions@freebsd.org>
From: Lorenzo Salvadore <phascolarctos@protonmail.ch>
Reply-To: Lorenzo Salvadore <phascolarctos@protonmail.ch>
Subject: Re: security/ca_root_nss missing Let's Encrypt X3 certificate
Message-ID: <B8Wa10TGEw-pmRp3BoVybt_u-TnD3Eho4S5tjCgqvvAvmyu5xscJqrXup0JpMj-uRJqRqhgHdNHuVq4HcZkazzP8VuBVPh9FYzFsebrshwU=@protonmail.ch>
In-Reply-To: <2ed32cc3-ab80-7a0c-58c2-152bee067f7a@netfence.it>
References: <d81ae160-44c1-693d-f97b-abb1830b0c48@netfence.it>
 <20190326.195821.2023506369953085466.yasu@utahime.org>
 <2ed32cc3-ab80-7a0c-58c2-152bee067f7a@netfence.it>
Feedback-ID: X6az_D2smWSR8MT5MHqXnWF0upxehDyHia7Id1cbayHNBUkRu3CIeusDsZHiivIIjmaKB1_OofpALrRUYjNz3w==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.2 required=7.0 tests=ALL_TRUSTED,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM autolearn=ham
 autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.protonmail.ch
X-Rspamd-Queue-Id: 12A1A6FE00
X-Spamd-Bar: -------
X-Spamd-Result: default: False [-7.85 / 15.00]; ARC_NA(0.00)[];
 HAS_REPLYTO(0.00)[phascolarctos@protonmail.ch];
 R_DKIM_ALLOW(-0.20)[protonmail.ch:s=default];
 REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 DWL_DNSWL_NONE(0.00)[protonmail.ch.dwl.dnswl.org : 127.0.5.0];
 R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; TO_DN_ALL(0.00)[];
 MX_GOOD(-0.01)[cached: mailsec.protonmail.ch];
 DKIM_TRACE(0.00)[protonmail.ch:+];
 DMARC_POLICY_ALLOW(-0.50)[protonmail.ch,quarantine];
 NEURAL_HAM_SHORT(-0.99)[-0.991,0]; RCVD_COUNT_ZERO(0.00)[0];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 IP_SCORE(-3.75)[ip: (-9.85), ipnet: 185.70.40.0/24(-4.90), asn: 19905(-3.92),
 country: US(-0.07)]; 
 ASN(0.00)[asn:19905, ipnet:185.70.40.0/24, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[27.40.70.185.list.dnswl.org : 127.0.5.1]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 15:10:25 -0000


=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Tuesday 26 March 2019 14:45, Andrea Venturoli <ml@netfence.it> wrote:

> On 3/26/19 11:58 AM, Yasuhiro KIMURA wrote:
>
> > What server application you use?
>
> I use Let's Encrypt certificates in Apache's HTTPd, sendmail,
> cyrus-imap, etc...
> However, this is not relevant here: I'm talking about FreeBSD as a
> client and not necessarily connecting to "my" servers.
>
> > Let's Encrypt Authority X3 is signed by DST Root CA X3.
>
> Ok.
>
> > And DST Root CA X3 is included in security/ca_root_nss.
>
> Right again: I did not notice this.
>
> > So if you configured server application
> > properly it should be able to use server sertificates issued by Let's
> > Encrypt.
>
> Again, it's not a server problem, but rather a client program.
>
> It works now, even if I didn't change anything!!!
> I don't know what happened really... several sites were not working, but
> they are reachable again.
>
> Thanks anyway and sorry for the noise!
>
> bye
> av.

I sometimes experienced similar strange behaviors with certificates.
I do not know very well how certificates work, but I think time is a factor
and if responses arrive too late the certificate is not correctly recognize=
d
(please, be patient if I'm wrong, my knowledge on the topic is vague).

I notice that we are both from Italy: I wonder if the problem is that our
connections sometimes are too slow to have certificates work correctly.

Lorenzo Salvadore.