From owner-freebsd-questions@freebsd.org  Fri Oct  1 01:15:00 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A9FC2674327
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri,  1 Oct 2021 01:15:00 +0000 (UTC)
 (envelope-from tech-lists@zyxst.net)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com
 [64.147.123.25])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4HLBwz1Pwyz58s1
 for <freebsd-questions@freebsd.org>; Fri,  1 Oct 2021 01:14:59 +0000 (UTC)
 (envelope-from tech-lists@zyxst.net)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 25373320079B
 for <freebsd-questions@freebsd.org>; Thu, 30 Sep 2021 21:14:58 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Thu, 30 Sep 2021 21:14:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h=
 date:from:to:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm3; bh=BsUY4jHaoVz8g4keZ0wGrztQt7z
 coRUH/SNwfgT1MEc=; b=gwnKoMB0e1wSzFsu2u2myYSsKUWpmW8yyw8jQw56zuZ
 BclEo61Qiq94O0+XNhQ538of0wX1v2eYJik7vZ+auAjf4jkUcN6xDImFAmIcPseK
 BONGV0KcI+N2XLrtusvWnjb/+S66m7YPXWBO6RkID5v+TttaBWjMQusnTADjwnmh
 5IPOd3Tef8+Wsskxe3QurOAXUnFa7iXBRdKZADfxRUFPpDoGwLQQo7TTDg5OsMGt
 0vPoRbmivYPmhBobs4BWfbYoFtDAm+hMx5OpnOASZqy5HhpEMG8N/ZiaTOYVar+3
 CYmE7T20fZDo8xnaIBynWAHnoaSEofnVt/n+Ddoqvyw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=BsUY4j
 HaoVz8g4keZ0wGrztQt7zcoRUH/SNwfgT1MEc=; b=O1/1aurhHyn5Qmea+ZD4bB
 SuyuF6nnM516yXogQYgq/43NFcXtc9upQJoAwPHwjg//7eF4YJ6aaZLTviErGe6E
 J6ts+ZGQu7e3ksUY0dg/oQFySMd6LyzcC6ZToVVDq75F7qrkjawzuJ6dE7U3y33Y
 vQ75czwl+sig+UkiHYN0S+t1G2EhUf4E9ALVCUz54xk5xWvzMOnbQlWXCspfeJQM
 VRNYl+0M1K/rLpoEbKCdXBiBF/LBNPTByGsM9Ko2yjboOS7fEFwo9/Qmo9BPQgmG
 kOEc9Di6UG8YbsUl/5dPrTMUo9O1K7g5iIHZxVtnivk8C/Ol6OS6Y4FLT6AuEbKA
 ==
X-ME-Sender: <xms:EWFWYToE0HmZqcjRDKasjYbZBTCT8I61s3wGGlG6Cy7m_SGUm0q0xA>
 <xme:EWFWYdoEzDo2ZD3pSPZV41fthPL_xxe8JtqMhA_gM13vJoJVuJggkY3l7Q7h2-2dR
 6Z4e72lYQl5vKCt2Q>
X-ME-Received: <xmr:EWFWYQNFktH0kN1MDOC_LwhILcWx9qR_f6w-yEqEB1clSjs9pZCJxmHusdrd60VMtlo49AAh40Vj>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudekhedggeefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesghdtre
 ertddtudenucfhrhhomhepthgvtghhqdhlihhsthhsuceothgvtghhqdhlihhsthhsseii
 hiigshhtrdhnvghtqeenucggtffrrghtthgvrhhnpeevffeujefggefhfeekudetvdehtd
 ehudfgffeigeefveefheegvddvtdehffeljeenucevlhhushhtvghrufhiiigvpedtnecu
 rfgrrhgrmhepmhgrihhlfhhrohhmpehtvggthhdqlhhishhtshesiiihgihsthdrnhgvth
X-ME-Proxy: <xmx:EWFWYW6A7yJILOHPXGM1W886miJ9SIxjoETec_DlK8_4SL1JikzWWA>
 <xmx:EWFWYS5HCBNts7VmNvSlVB9qkVPEEmjMXKztVkAyd7dDEyqcyf2-aQ>
 <xmx:EWFWYeg-yI0TGbCG9zIOkot6K11q7AcAPHYnEj96BI9nQ2MkJWyeLw>
 <xmx:EWFWYUH8IhUQdmLQW1sIKBbl-2oBqzHEUw0qMStNC6O98cxNJGLy0A>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-questions@freebsd.org>; Thu, 30 Sep 2021 21:14:57 -0400 (EDT)
Date: Fri, 1 Oct 2021 02:14:55 +0100
From: tech-lists <tech-lists@zyxst.net>
To: freebsd-questions@freebsd.org
Subject: Re: expired Lets Encrypt CA and fetch
Message-ID: <YVZhD3obEBAl5Gsz@ceres.zyxst.net>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <b5400e1d-acde-3ca4-f244-d935df9544ab@sentex.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="/aLlHImdz615w1yu"
Content-Disposition: inline
In-Reply-To: <b5400e1d-acde-3ca4-f244-d935df9544ab@sentex.net>
X-Rspamd-Queue-Id: 4HLBwz1Pwyz58s1
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=zyxst.net header.s=fm3 header.b=gwnKoMB0;
 dkim=pass header.d=messagingengine.com header.s=fm3 header.b="O1/1aurh";
 dmarc=none;
 spf=none (mx1.freebsd.org: domain of tech-lists@zyxst.net has no SPF policy
 when checking 64.147.123.25) smtp.mailfrom=tech-lists@zyxst.net
X-Spamd-Result: default: False [-6.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[4];
 MID_RHS_MATCH_FROMTLD(0.00)[];
 DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+];
 NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US];
 RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.25:from]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm3,messagingengine.com:s=fm3];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 DMARC_NA(0.00)[zyxst.net]; RCPT_COUNT_ONE(0.00)[1];
 DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
 R_SPF_NA(0.00)[no SPF record];
 RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.25:from];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 01:15:00 -0000


--/aLlHImdz615w1yu
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote:

>fails on releng11 and some RELENG_12, but not recent releng13.=A0 Does
>anyone know whats going on and why its so inconsistent ? If I remove the
>expired CA entry from the bundle, it works but I dont have to on all
>clients ? Anyone know whats going on ?

It fails for me on 12.2-p7 and 13.0-p4 and stable/13 as of a few days
ago with fetch.

On the stable/13 the site works in firefox-93.0,2
On lynx-2.8.9.1_1,1 on the same system I get a warning if I want to
continue as it's expired (n) choose (y) and it loads
On 12.2-p7 lynx-current-2.9.0d9 is the same.

I have no clue why your recent releng13 works. Maybe your fetch on=20
there is linked to the ssl a browser would use?=20
--=20
J.

--/aLlHImdz615w1yu
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAmFWYQUACgkQs8o7QhFz
NAWoERAAiNEeGpDw3R25bUxbnMKUE11HXAKVeneHLvyiriLtkLZ80hbW4U1VtR3F
Am3qONyG4e9/xidnZAqTlRzhwQXUud22iRmzNpessg3+GzAiQFBGBx1T8kfrEfuh
NcVPE6e2XJ3HJtQRpM0CmmQMb5JuUPxa6mfhGw80x0ES4ZnHuVJHFPB24mAaXB1z
swifx+wIrM4rFf9J3zcJs+aQREXRsV2yfzovSH5uZXgXpd8Fp/JWkdkiZetTrj/W
zZJcdP8S1BcJUDi/JWNe0z5hZAr3lTE0FgOPyeohiG90H1o5HBq55xkhHOjtec0E
pvRtSV2Nl8STN9VzVnyEMGDY9H0JZdrWTIVmSDUfEMQHyC0WUkCMmThps82NXPs0
Kykd35Etts+FDKND5JPXQTC9m9AZDpamkB2NdcPrI7Pmbu9wuHnGhW4Z31MHyjhD
nEn1jDAJJ/5HIX01BxpZ38TeIzVfnxHWTALx8BS+wJgDxtMj2lz8Y9B8Ta+Tmm7a
VNjicRe3E7jRAWUc6gn5Y0MxL1ECl8OKdAxsWVttrm4iPO4t3Sv7HcMblXqj63Da
lRYRHRtalQWEpKBGyGeHdXD3h2mJ31svGoxGX41rNjL2aKUE18OaZV41W72VJttt
kRwQvRbIpLE1UDqxhnDmnXjcp60oIAqBQ8oK97f+owlxjJTiiU4=
=2UQD
-----END PGP SIGNATURE-----

--/aLlHImdz615w1yu--