Date: Tue, 26 Mar 2019 19:58:21 +0900 (JST) From: Yasuhiro KIMURA <yasu@utahime.org> To: freebsd-questions@freebsd.org Subject: Re: security/ca_root_nss missing Let's Encrypt X3 certificate Message-ID: <20190326.195821.2023506369953085466.yasu@utahime.org> In-Reply-To: <d81ae160-44c1-693d-f97b-abb1830b0c48@netfence.it> References: <d81ae160-44c1-693d-f97b-abb1830b0c48@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Andrea Venturoli <ml@netfence.it> Subject: security/ca_root_nss missing Let's Encrypt X3 certificate Date: Tue, 26 Mar 2019 11:16:51 +0100 > I'm having trouble connecting (e.g. with fetch) to TLS servers which > are using a Let's Encrypt certificate. > > The exact message depends on the client I use, but it goes along this > line: >>Protocol error (TLS code: >>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) >>SSL Certficate error: certificate issuer (CA) not known: >> /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 What server application you use? Let's Encrypt Authority X3 is signed by DST Root CA X3. And DST Root CA X3 is included in security/ca_root_nss. So if you configured server application properly it should be able to use server sertificates issued by Let's Encrypt. For example * Web page of FreeBSD Project (https://www.freebsd.org/) uses server sertificates issued by Let's Encrypt. * If security/ca_root_nss is installed fetch(1) uses it as CA certificate. * fetch(1) can access web page of FreeBSD Project successfully as following. yasu@eastasia[2017]% fetch -v -o /dev/null https://www.freebsd.org/ resolving server address: www.freebsd.org:443 SSL options: 82004854 Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-RSA-CHACHA20-POLY1305 Certificate subject: /CN=www.freebsd.org Certificate issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 requesting https://www.freebsd.org/ remote size / mtime: 25662 / 1553597683 /dev/null 25 kB 134 kBps 00s yasu@eastasia[2018]% --- Yasuhiro KIMURA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190326.195821.2023506369953085466.yasu>