Date: Thu, 1 Jun 2017 22:33:53 -0600 From: Adam Weinberger <adamw@adamw.org> To: Jov <zhao6014@gmail.com> Cc: Marcin Cieslak <saper@saper.info>, FreeBSD Ports Mailing List <ports@freebsd.org>, Freddie Cash <fjwcash@gmail.com> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? Message-ID: <9D4AA628-1BB2-42DA-860E-829C8C3390FD@adamw.org> In-Reply-To: <CADyrUxNfPatd2L=VKZdYAa_Q2gHtAdAGkSA=Wh1ZD4zkp4TV4w@mail.gmail.com> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb> <CADyrUxNfPatd2L=VKZdYAa_Q2gHtAdAGkSA=Wh1ZD4zkp4TV4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 1 Jun, 2017, at 21:15, Jov <zhao6014@gmail.com> wrote: >=20 > what's your /etc/ssl/cert.pem? > mine is: > ls -l /etc/ssl/cert.pem > lrwxr-xr-x 1 root wheel 38 4=E6=9C=88 29 09:15 /etc/ssl/cert.pem@ = -> > /usr/local/share/certs/ca-root-nss.crt >=20 > you can use this command to get more ssl connection info: > openssl s_client -connect <your_domain>:443 I've tried fetching a distfile from my own server (which uses a Let's = Encrypt cert) and it fetches fine in a poudriere jail. I'm suspecting = that there's something unusual in your web server's SSL configuration, = or in how you're generating your LE cert. Do you have any interesting = arguments that you're giving dehydrated or your web server? # Adam --=20 Adam Weinberger adamw@adamw.org https://www.adamw.org >=20 > Jov > blog: http:amutu.com/blog >=20 > 2017-06-02 10:13 GMT+08:00 Marcin Cieslak <saper@saper.info>: >=20 >> On Thu, 1 Jun 2017, Freddie Cash wrote: >>=20 >>> In your web server configuration, are you using the Let's Encrypt >> cert.pem >>> or fullchain.pem? >>=20 >> fullchain.pem >>=20 >>> If you use the former, then any client that doesn't have the DST = Root CA >>> pre-installed will error out. The latest versions of browsers will = work, >> as >>> they include the DST Root CA. >>=20 >> My fullchain.pem as delivered by dehydrated does not include the DST = Root >> CA. >>=20 >>> If you use the latter, then it will just work, as the server will = send >> all >>> the intermediate certificate info needed to reach the root. >>=20 >> To test this theory, I have added DST Root CA to my customized >> fullchain.pem >> which now contains: >>=20 >> Certificate chain >> 0 s:/CN=3Dmarcincieslak.com >> i:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 >>=20 >> 1 s:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 >> i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >>=20 >> 2 s:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >> i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >>=20 >> so now we have "DST Root CA X3" extra. >>=20 >> And the result is: >>=20 >> =3D> INIT.2014-12-24.tgz doesn't seem to exist in = /portdistfiles/ksh93. >> =3D> Attempting to fetch https://distfile.net/local- >> ports-distfiles/INIT.2014-12-24.tgz >> Certificate verification failed for /O=3DDigital Signature Trust = Co./CN=3DDST >> Root CA X3 >> 34374329736:error:14090086:SSL = routines:ssl3_get_server_certificate:certificate >> verify failed:/usr/src/secure/lib/libssl/../../../crypto/ >> openssl/ssl/s3_clnt.c:1264: >> fetch: = https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: >> Authentication error >> =3D> Attempting to fetch http://distcache.FreeBSD.org/ >> ports-distfiles/ksh93/INIT.2014-12-24.tgz >> fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT. >> 2014-12-24.tgz: Not Found >>=20 >> so it cannot validate "DST Root CA X3" now, because it does not have = the >> pre-installed CA bundle. >>=20 >>=20 >> Marcin Cie=C5=9Blak > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to = "freebsd-ports-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9D4AA628-1BB2-42DA-860E-829C8C3390FD>