From nobody Sun Oct 22 15:16:40 2023
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SD2413PzNz4xRgD
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Sun, 22 Oct 2023 15:17:05 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SD23z4lJzz4Np1
	for <freebsd-questions@freebsd.org>; Sun, 22 Oct 2023 15:17:03 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=skunkwerks.at header.s=fm1 header.b=TVAbhLlw;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=JNPf4N8A;
	spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 64.147.123.20 as permitted sender) smtp.mailfrom=dch@skunkwerks.at;
	dmarc=pass (policy=none) header.from=skunkwerks.at
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailout.west.internal (Postfix) with ESMTP id D285B320039A
	for <freebsd-questions@freebsd.org>; Sun, 22 Oct 2023 11:17:01 -0400 (EDT)
Received: from imap44 ([10.202.2.94])
  by compute2.internal (MEProxy); Sun, 22 Oct 2023 11:17:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
	 h=cc:content-type:content-type:date:date:from:from:in-reply-to
	:message-id:mime-version:reply-to:sender:subject:subject:to:to;
	 s=fm1; t=1697987821; x=1698074221; bh=y8DXXZrHOFGKVxgNTJ92auJzx
	LC9O597XLl8FUHjhcw=; b=TVAbhLlwAnL7qD5LEhqaDuhX6UgTJysGheFttZ/0H
	940Ha8j0+TcfbQuiPb9agVaoS5KJ+pBPGzVJLt/uodoxnYg7ainexaJgai2te235
	0YzuPjyBr4Cx8B5F42O9FvQS4TAqaXT4rMhTO+8XUO5pW13ysQ2GeRhLq57LH4Za
	3QlNM1aGsTnrWf7c5/sgz7H9x4cOniT44Ty/hnm45wHIe5W2iIvazuB9PA0GCcPy
	wkXBTKKXRNY1tuxTFH+FVUS+Q6xeJsFg5R+lGNTLjIcnbsO204GLX7+HAPriOEfr
	haIliioI+waNMoihEAdaXVCGOsluwulYg0U7DRL6AAifA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:message-id
	:mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1697987821; x=1698074221; bh=y8DXXZrHOFGKVxgNTJ92auJzxLC9O597XLl
	8FUHjhcw=; b=JNPf4N8AQAcmQy+L0IWNa0OPHz2ErJ32igWLLThBFffy3r3TcKa
	M095XSgjUnjpOTMevr9Rf9DIFqmtX5MJC7fKJWlVUvccsTZBUjYWi0IdPG8NgmJ/
	HJkM0T9uv7eXkNSNh1I1U9X4V0wM+S7fxYOT7d9yO29kC+UPCgqxu6jRhMudwXdD
	8NaGawldqZ7MGwVs8thTEK5uKd3CDH7wU+spvRdoet7AFoEkQBx3xUaInG888cOi
	aE/zOLv6AXqdH3CDUZNGivD/dNOiLAUjPkGi5fE3eloFHRwroHb/LHTbLk2wprP1
	AcaFuZodfGZnXbJHUwH5xBRUjSbyI7oSJJA==
X-ME-Sender: <xms:7Tw1ZVV18ttN6_DU5bcLyJxDhXInGHxTzw6hxgZzShn7mHA8ZlGqIQ>
    <xme:7Tw1ZVlv-KMpEjQMQb50n5pFFbjbIB45SIe7_gJWRqZPUN91X8XU7KCU9NHjK79b6
    ZDQ51tiRDGSaSWugw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkeefgdekjecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgesthdtredtre
    ertdenucfhrhhomhepfdffrghvvgcuvehothhtlhgvhhhusggvrhdfuceouggthhesshhk
    uhhnkhifvghrkhhsrdgrtheqnecuggftrfgrthhtvghrnhepjefgtdfgfeegudeigeelud
    fghfffuefgheeuudelleeiheduieeufeelueduvdfgnecuvehluhhsthgvrhfuihiivgep
    tdenucfrrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrth
X-ME-Proxy: <xmx:7Tw1ZRa3PdD5QOxbTbpriioGRDpd0UjdlAwZoyucS9wLc4TO0_EZvA>
    <xmx:7Tw1ZYUk8D3HA1iBsLJepUEQTaWD61ylqXiliywIB3irp9ziFaBmDw>
    <xmx:7Tw1ZfnO7lyO2D0bDqzkhfeKnXQern5Q-9VSEE0OhINuyob5TY5W6w>
    <xmx:7Tw1ZbxVuj3lNY6G69H58DwJK219EPeCzhe_RhbC7jvwfPiGum2nVA>
Feedback-ID: ic0e84090:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 0219136A0077; Sun, 22 Oct 2023 11:17:00 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1048-g9229b632c5-fm-20231019.001-g9229b632
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Message-Id: <ef9d7775-80c0-4dd0-9668-79e92473b626@app.fastmail.com>
Date: Sun, 22 Oct 2023 15:16:40 +0000
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: freebsd-questions <freebsd-questions@freebsd.org>
Subject: certctl, self-signed certificates and localhost with nginx, fetch and curl
Content-Type: text/plain
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.49 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[skunkwerks.at,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[64.147.123.20:from];
	R_SPF_ALLOW(-0.20)[+ip4:64.147.123.20];
	R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm1,messagingengine.com:s=fm3];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.20:from];
	XM_UA_NO_VERSION(0.01)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	MIME_TRACE(0.00)[0:+];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
	FREEFALL_USER(0.00)[dch];
	TO_DN_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	ARC_NA(0.00)[]
X-Rspamd-Queue-Id: 4SD23z4lJzz4Np1

I'm experimenting with certctl(8) to see if I can get curl and
the browser to accept a self-signed certificate, and if I need a
local CA as well for this:

```
$ sudo openssl req -newkey rsa:2048 \
  -keyout /usr/local/etc/ssl/keys/localhost.key \
  -x509 -days 365 -nodes -subj '/CN=localhost' \
  -out /usr/local/etc/ssl/certs/localhost.crt
...

$ sudo certctl -v trust /usr/local/etc/ssl/certs/localhost.crt
$ sudo certctl -v rehash
...
Reading ca-root-nss.crt
Adding cd8c0d63.1 to trust store
Scanning /usr/local/etc/ssl/certs for certificates...
Reading localhost.crt
Adding ce275665.0 to trust store

$ certctl -v list |grep ce275665
ce275665.0      subject=CN = localhost

### failures
$ fetch https://localhost/
Certificate verification failed for /CN=localhost
002061F61F310000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://localhost/: Authentication error

$ curl  https://localhost/
curl: (60) SSL certificate problem: self-signed certificate

### success
$ curl --cacert /usr/local/etc/ssl/certs/localhost.crt  https://localhost/
<html>
... 
```

Any idea what I'm doing wrong here? Do I need a proper CA and not
just a local cert?

BTW nginx config used:

```
# /usr/local/etc/nginx/nginx.conf
events {
  worker_connections  1024;
}

http {
  include mime.types;
  default_type application/octet-stream;

  server {
    listen 443 ssl;
    server_name localhost;
    ssl_certificate /usr/local/etc/ssl/certs/localhost.crt;
    ssl_certificate_key /usr/local/etc/ssl/keys/localhost.key;

    location / {
      root /usr/local/www/nginx;
      index index.html index.htm;
    }
  }
}
```

A+
Dave