From owner-freebsd-questions@freebsd.org Tue Mar 26 10:21:53 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46F6B154A6DB for ; Tue, 26 Mar 2019 10:21:53 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D0DF0897DD for ; Tue, 26 Mar 2019 10:21:51 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id x2QAGpIF013788 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 26 Mar 2019 11:16:59 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu To: freebsd-questions@freebsd.org From: Andrea Venturoli Subject: security/ca_root_nss missing Let's Encrypt X3 certificate Message-ID: Date: Tue, 26 Mar 2019 11:16:51 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: D0DF0897DD X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [1.99 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.12)[ip: (0.40), ipnet: 2.44.0.0/16(0.20), asn: 30722(-0.05), country: IT(0.05)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; HAS_XAW(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.51)[-0.513,0]; NEURAL_SPAM_MEDIUM(0.71)[0.711,0]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_SHORT(0.78)[0.784,0]; MX_GOOD(-0.01)[cached: mx.netfence.it]; DMARC_NA(0.00)[netfence.it]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:30722, ipnet:2.44.0.0/16, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2019 10:21:53 -0000 Hello. I'm having trouble connecting (e.g. with fetch) to TLS servers which are using a Let's Encrypt certificate. The exact message depends on the client I use, but it goes along this line: >Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) >SSL Certficate error: certificate issuer (CA) not known: > /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Of course adding that specific certificate to /usr/local/etc/ssl/cert.pem is enough to solve. However, Let's encrypt seems to be widely accepted, so I was suprised not to find it in security/ca_root_nss. Also, some page on the Internet [1] suggests the certifiate should be there. [1] > https://www.linuxadminqa.com/freebsd-wget-can-not-confirm-certificates-issued-by-lets-encrypt/ Am I doing something wrong or is this certificate really missing? If so, why? Isn't it worth adding it? bye & Thanks av.