From owner-freebsd-ports@freebsd.org Fri Jun 2 04:34:00 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9525BEFAD9 for ; Fri, 2 Jun 2017 04:34:00 +0000 (UTC) (envelope-from adamw@adamw.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id B24857A947 for ; Fri, 2 Jun 2017 04:34:00 +0000 (UTC) (envelope-from adamw@adamw.org) Received: by mailman.ysv.freebsd.org (Postfix) id AEADCBEFAD8; Fri, 2 Jun 2017 04:34:00 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC680BEFAD7 for ; Fri, 2 Jun 2017 04:34:00 +0000 (UTC) (envelope-from adamw@adamw.org) Received: from apnoea.adamw.org (apnoea.adamw.org [104.225.5.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "apnoea.adamw.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CDB77A946 for ; Fri, 2 Jun 2017 04:33:57 +0000 (UTC) (envelope-from adamw@adamw.org) Received: by apnoea.adamw.org (OpenSMTPD) with ESMTPSA id 4f081a45 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; Thu, 1 Jun 2017 22:33:55 -0600 (MDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? From: Adam Weinberger In-Reply-To: Date: Thu, 1 Jun 2017 22:33:53 -0600 Cc: Marcin Cieslak , FreeBSD Ports Mailing List , Freddie Cash Content-Transfer-Encoding: quoted-printable Message-Id: <9D4AA628-1BB2-42DA-860E-829C8C3390FD@adamw.org> References: To: Jov X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2017 04:34:00 -0000 > On 1 Jun, 2017, at 21:15, Jov wrote: >=20 > what's your /etc/ssl/cert.pem? > mine is: > ls -l /etc/ssl/cert.pem > lrwxr-xr-x 1 root wheel 38 4=E6=9C=88 29 09:15 /etc/ssl/cert.pem@ = -> > /usr/local/share/certs/ca-root-nss.crt >=20 > you can use this command to get more ssl connection info: > openssl s_client -connect :443 I've tried fetching a distfile from my own server (which uses a Let's = Encrypt cert) and it fetches fine in a poudriere jail. I'm suspecting = that there's something unusual in your web server's SSL configuration, = or in how you're generating your LE cert. Do you have any interesting = arguments that you're giving dehydrated or your web server? # Adam --=20 Adam Weinberger adamw@adamw.org https://www.adamw.org >=20 > Jov > blog: http:amutu.com/blog >=20 > 2017-06-02 10:13 GMT+08:00 Marcin Cieslak : >=20 >> On Thu, 1 Jun 2017, Freddie Cash wrote: >>=20 >>> In your web server configuration, are you using the Let's Encrypt >> cert.pem >>> or fullchain.pem? >>=20 >> fullchain.pem >>=20 >>> If you use the former, then any client that doesn't have the DST = Root CA >>> pre-installed will error out. The latest versions of browsers will = work, >> as >>> they include the DST Root CA. >>=20 >> My fullchain.pem as delivered by dehydrated does not include the DST = Root >> CA. >>=20 >>> If you use the latter, then it will just work, as the server will = send >> all >>> the intermediate certificate info needed to reach the root. >>=20 >> To test this theory, I have added DST Root CA to my customized >> fullchain.pem >> which now contains: >>=20 >> Certificate chain >> 0 s:/CN=3Dmarcincieslak.com >> i:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 >>=20 >> 1 s:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 >> i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >>=20 >> 2 s:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >> i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 >>=20 >> so now we have "DST Root CA X3" extra. >>=20 >> And the result is: >>=20 >> =3D> INIT.2014-12-24.tgz doesn't seem to exist in = /portdistfiles/ksh93. >> =3D> Attempting to fetch https://distfile.net/local- >> ports-distfiles/INIT.2014-12-24.tgz >> Certificate verification failed for /O=3DDigital Signature Trust = Co./CN=3DDST >> Root CA X3 >> 34374329736:error:14090086:SSL = routines:ssl3_get_server_certificate:certificate >> verify failed:/usr/src/secure/lib/libssl/../../../crypto/ >> openssl/ssl/s3_clnt.c:1264: >> fetch: = https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: >> Authentication error >> =3D> Attempting to fetch http://distcache.FreeBSD.org/ >> ports-distfiles/ksh93/INIT.2014-12-24.tgz >> fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT. >> 2014-12-24.tgz: Not Found >>=20 >> so it cannot validate "DST Root CA X3" now, because it does not have = the >> pre-installed CA bundle. >>=20 >>=20 >> Marcin Cie=C5=9Blak > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to = "freebsd-ports-unsubscribe@freebsd.org"