Date: Fri, 2 Jun 2017 02:13:50 +0000 From: Marcin Cieslak <saper@saper.info> To: Freddie Cash <fjwcash@gmail.com> Cc: FreeBSD Ports Mailing List <ports@freebsd.org>, Jov <zhao6014@gmail.com> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? Message-ID: <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb> In-Reply-To: <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--1563967779-170823914-1496369630=:65985 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8BIT On Thu, 1 Jun 2017, Freddie Cash wrote: > In your web server configuration, are you using the Let's Encrypt cert.pem > or fullchain.pem? fullchain.pem > If you use the former, then any client that doesn't have the DST Root CA > pre-installed will error out. The latest versions of browsers will work, as > they include the DST Root CA. My fullchain.pem as delivered by dehydrated does not include the DST Root CA. > If you use the latter, then it will just work, as the server will send all > the intermediate certificate info needed to reach the root. To test this theory, I have added DST Root CA to my customized fullchain.pem which now contains: Certificate chain 0 s:/CN=marcincieslak.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 so now we have "DST Root CA X3" extra. And the result is: => INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93. => Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264: fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: Not Found so it cannot validate "DST Root CA X3" now, because it does not have the pre-installed CA bundle. Marcin Cieślak --1563967779-170823914-1496369630=:65985 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIIOSwYJKoZIhvcNAQcCoIIOPDCCDjgCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgggqQMIIElzCCA3+gAwIBAgIOSBtqCKJEiNNcmz3JSA0w DQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp Z24wHhcNMTYwNjE1MDAwMDAwWhcNMjQwNjE1MDAwMDAwWjBdMQswCQYDVQQG EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xv YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIFNIQTI1NiAtIEczMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrCba00KOKyGuwh9h+/MAcZm ZUF9OxGKA56AADHaDE08rB0WEbgm6J4XvJP3OGQ7cgHdVJu6XMZkRd6EcfjD yRrIwE6oAVWJe57co3gKk/XxvuubSZuUahrcOiv3D2qaHwva4zumubxQQI4f unEzRIJHPiNjaq0cCcZsMcp5pxsEz8aG0sr8Oh80sxKNnzPmuUETLESktfMC pQKHUGmWXLsG6sgCZOezUjDjKpPKW7l4PUt0TEBEyqLhifv9/YPn5C4o10PP daDazZPeKNif2PVQ5u0HRnkFrHh4wmmrMtY22Mse3eR01gD6rEEGWf+gdzuy EQE+ZVlNhCP4gXjdBQIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMCcG A1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwkwEgYDVR0T AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlifCwqX3HPgCenpkr2NvMtKYwrEw HwYDVR0jBBgwFoAUj/BLf6guRSSuTVD6Y5qL3uLdG7wwPgYIKwYBBQUHAQEE MjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v cm9vdHIzMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2ln bi5jb20vcm9vdC1yMy5jcmwwWQYDVR0gBFIwUDALBgkrBgEEAaAyASgwQQYJ KwYBBAGgMgFfMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNp Z24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCxh3ekjKKy RrUdfI6D1U7qUggdFLksiU+KiIqJzJG6GXcQ2KiBy2tF3+KYb0IixXMpIVli VXlcD5Vh4tiMxJ4WONMFt3f7/53gSXLf24WMwErubc+mGMzgUGE5HKC98PcK UV/5pPggQdzPxCBNeiXnLU1tCGYhPatFTDhUBGaVhBeuUCbgR9gpXJ9guqrD OVwouKvovdIeI5KEAcoAAiSL6naeLk/GbKUaBFa2RxXC17e+YyBWtWlWDEM3 1V8pUIx76lkO8IJYREhLcg/LnyoYy5wcrzI6pbX2vw1x/jR3GHSC1AEdoqbE xui2XLLlSa6y9yQNgdkPz7GTLmpwIT+dMIIF8TCCBNmgAwIBAgIMGk4Oe/1h 2+wMOby/MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIFBlcnNv bmFsU2lnbiAxIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwNTI1MDg0NDE2WhcN MjAwNTI1MDg0NDE2WjA8MRkwFwYDVQQDDBBzYXBlckBzYXBlci5pbmZvMR8w HQYJKoZIhvcNAQkBFhBzYXBlckBzYXBlci5pbmZvMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEA2sO3aQNus/oe4ZBZ4fu1Y1mzxnUYAkb4k/dw gMFc2Kd0eRoOY0AHj4rTEi/vVzzizxjLbEwXzQ9cBEAu/PqS8WsOmhZXtlfi szPDmP7ZpOwmNTWKSd9O7jHu9uTCGfEOsocQNYH2ULD1gVFkgKb8jHf+3u9d uCzh6qMomTtwLrCGEP70Lq385xUzRaD6qbOeIB99tpzgvMR6Z0GPTt4z8tLM kfdtohq5llwZ5vYnj/hJohVS9iLMQMHW4nuLj/mLZNaYE1CWJBT1rBwn5YPJ uR6811O9eAP7aX4iG8k1jkiBh+QNgGRBIK4GIdqy7IVRhA7v2OlpLYHMk4zP 9Fs3M+56QromVKBnxfzLhuYMUK6ugj9jwskNVitqlEFUeyfgvmR1jnPRp1Nd XGJllTNwGicR8wkaRj14RxfrvTZfwXs8OBODKFupqun/tNzdpOgyHMGQACss 9yv2SnLGCJvJK3rGIdRZEiUhLZH/Ct4L92dBhev+SjUqWKbHb4yIlGMgLdoh nwqatuWw7iyOeInjcinX7ghiIKDWhulUN493Fzl6kaUBtIIcrb7jzZ2pHAQT WUmuVnCTHk6NtoWB09lvuK77fw4GfxLWDFWkBQiJYPVBrmxlrkCKzrWdTMfS W9BiEC10jT1sSimUBIjDz22RkfsApeBJoAIWjiOZogILu9MCAwEAAaOCAdAw ggHMMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYB BQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz cGVyc29uYWxzaWduMXNoYTJnM29jc3AuY3J0MD0GCCsGAQUFBzABhjFodHRw Oi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24xc2hhMmcz MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAw RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n c3BlcnNvbmFsc2lnbjFzaGEyZzMuY3JsMBsGA1UdEQQUMBKBEHNhcGVyQHNh cGVyLmluZm8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBReBINaGUKUo7HCrIjsKLKERu6ooTAfBgNVHSMEGDAWgBSWJ8LCpfcc +AJ6emSvY28y0pjCsTANBgkqhkiG9w0BAQsFAAOCAQEAC0VK968ySq/6B+Kd ecjVThQOKtVXuG17Krfk0xz7OPYR/V+qZtBFm2Uc6tkUEmAmq3Tyf+SE3TTX Q58eJFq0uCTUhIY714ioJs1uVWBz8rPyJ3swkOfDaUXUxkQsBsf73VfKjUk4 kB5MTrApLYUe35NmEY3FqyyX13elhW1tp864vOKM2Git61cYoRn/bwd/z2JM Zkxwkd5JgvmM+p4Da+WO4CUsGzdrZEH8X/8NQIzWtUDIh7VEQZFX5fot/KvH Am8AajtpmNqTfMyg6LfcfJUXSFqXn/KEWu4Td62vX6Pd70dYKUZxnLwYvGqG A4Ktrp9zyrUzxLbmdaPln7CstjGCA38wggN7AgEBMG0wXTELMAkGA1UEBhMC QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2Jh bFNpZ24gUGVyc29uYWxTaWduIDEgQ0EgLSBTSEEyNTYgLSBHMwIMGk4Oe/1h 2+wMOby/MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDYwMjAyMTM1MFowLwYJKoZIhvcN AQkEMSIEICuG942c9omxls5E2OAKgfCshS7uEEVkp0IAPPecUy/EMHkGCSqG SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIC AJJz5UgzVFBeXPzqP4OPKNClON/WAGRiywb9VcMmfUri4FqhHCplYe76gYtJ 6ADgd5+SDONCEQ05/cICeB5DAQOnhK6u7XLYXTnPvccqrg+g1BuZ/cnmRvlu n9EwKCijg5J4JDUUxwsRBhC9BUR8i0F4mEfSsqsDc9P1GwL3q8mE1fnSBk1A M1ZoljoZxntLKP9Zv8Dnp+u7YXbzxtu0WN33j1nJsQQMA9qUdKj7X0C8GzZh ZlePMrhe6nGDPtwQoP93L4Yw8hDfR+6jPMB0sh1+2h9UHvsDHXTrwgZrLJZp NPyVcwpYMN+l19/8A7CFUQ9La98Rx1GPOPJJAIHkQTc32LlR2Oadpki00ZIe TLgctibQMyIHe5z7CdloMINk+r1TGiiIDy8rE8Lys80ngOwV/dF00OHFmtI1 i65FSk+KdcSh5ORVlGqfUcc7eYcZgjfUOrFa/cmGRoBQ7SB5e5UYbVpaTla+ xj7iLWqsYrYetaJtDcWdfCigyKQyLz6K0j8O8OStuXFiA+mOkCpn8kd2+gy+ HiuHy+qUR9auRmYYazeqKKTt0lAGkNGX/aO1YoRo+X6xdScnvAwJIKhlc0wK 6kw3vHCEeGwcaUmz1m/jyGq/4nukSxDIm7DA9fFkGH81Ae5juVUILHjWQm2h Y+D5CGjfHH53hNIFOKTcW7qI --1563967779-170823914-1496369630=:65985--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1706020205380.65985>