From owner-freebsd-ports@freebsd.org Fri Jun 2 01:20:32 2017 Return-Path: <owner-freebsd-ports@freebsd.org> Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5C836BD3EBB for <freebsd-ports@mailman.ysv.freebsd.org>; Fri, 2 Jun 2017 01:20:32 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 374C875F7A for <freebsd-ports@freebsd.org>; Fri, 2 Jun 2017 01:20:32 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 33B83BD3EBA; Fri, 2 Jun 2017 01:20:32 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3347DBD3EB9 for <ports@mailman.ysv.freebsd.org>; Fri, 2 Jun 2017 01:20:32 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DF7F875F79 for <ports@freebsd.org>; Fri, 2 Jun 2017 01:20:31 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-qt0-x232.google.com with SMTP id f55so49625781qta.3 for <ports@freebsd.org>; Thu, 01 Jun 2017 18:20:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rbxwaIa1g8yNdfasQkCEWWn89vq/jddDDG/voCLH/s0=; b=PScKNQ5YuROQ0H9mjBjhEha3DtESN9duxQbMptr0fpXLKuvzAh5kOU7U8yAUTQFN0x L6prnZa7soSlkQCpahuS+og7S5pfxyfQqp9RriFau2OV7AUqEuRRsqb1lrJRicMmO/cO 4u/VgbHVr3YUVb4q+eMZ57vbpQeZrrOQJM9CjpNTeTX3gP9vZw3QTj9vGGsrOSExhrXh 61FRbm/XAJ7Egf8LYwkXiwaQS3RZmKnujO49UIbPef6ocR8owyZkxf2sVtyy2lF1UZR/ ise+G73HPp/e3Bw191EKOz4AgjEhf3Cz4ueiQsTOgjDBUlVJY/o3K3l4qKETR3L6VqiN Yv3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rbxwaIa1g8yNdfasQkCEWWn89vq/jddDDG/voCLH/s0=; b=Qd+6URMzJ/CQsAhm09vDF4f7qf9y1bXvawLE1e+YT6zuDwZOoAOUG1gLGPi2O490Qf c5ZqFffGeJzgpbXaeuGlKh5Cfk5k54kCC92JtVmHO+oUkiacK1eAybW9LkdGtVdc6c40 D4BKaQxi4Dt25/PFYVEmKspXcGU5Gd2NFrE97iIleF18oMoyTPHVpWOhoqFKlnegupdC nG8uCpLAXSeeHvgNW6laE84d5bqBZZr/xashCcTkhj/kQTjeumKgnwieO6BscogY6jKb BFHmaDub0iKTsEPW1r5VeOUk4FkFqu7k6h7M+m916hf9XRjll6fvZZcwmSLMo/SzeFUz YpXA== X-Gm-Message-State: AODbwcC+mXU0fKCfeIJwWir0POsDnY8ZtzaSFmsWhoV9KW/6kzYOGMtQ Fdn9kP/iWX67sRI2LjHfVKK3lZOqTg== X-Received: by 10.200.33.232 with SMTP id 37mr6011702qtz.189.1496366431073; Thu, 01 Jun 2017 18:20:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.20.206 with HTTP; Thu, 1 Jun 2017 18:20:30 -0700 (PDT) Received: by 10.140.20.206 with HTTP; Thu, 1 Jun 2017 18:20:30 -0700 (PDT) In-Reply-To: <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> From: Freddie Cash <fjwcash@gmail.com> Date: Thu, 1 Jun 2017 18:20:30 -0700 Message-ID: <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? To: Marcin Cieslak <saper@saper.info> Cc: FreeBSD Ports Mailing List <ports@freebsd.org>, Jov <zhao6014@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/> List-Post: <mailto:freebsd-ports@freebsd.org> List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 02 Jun 2017 01:20:32 -0000 On Jun 1, 2017 4:06 PM, "Marcin Cieslak" <saper@saper.info> wrote: On Thu, 1 Jun 2017, Jov wrote: > can you dowload the file distfiles/INIT.2014-12-24.tgz > <https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz> using > browser such as chrome=EF=BC=9F Yes, Firefox, IE11, no certificate warnings. > be sure to use full chain cert file=EF=BC=8CI rember I had similar proble= m and use > full chain cert fixed. (Without the root CA): Certificate chain 0 s:/CN=3Dmarcincieslak.com i:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 1 s:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 How should fetch know that "=3DDigital Signature Trust Co./CN=3DDST Root CA= X3" is a valid CA if none have been installed? Marcin Cie=C5=9Blak In your web server configuration, are you using the Let's Encrypt cert.pem or fullchain.pem? If you use the former, then any client that doesn't have the DST Root CA pre-installed will error out. The latest versions of browsers will work, as they include the DST Root CA. If you use the latter, then it will just work, as the server will send all the intermediate certificate info needed to reach the root. Cheers, Freddie