Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Mar 2019 15:10:05 +0000
From:      Lorenzo Salvadore <phascolarctos@protonmail.ch>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: security/ca_root_nss missing Let's Encrypt X3 certificate
Message-ID:  <B8Wa10TGEw-pmRp3BoVybt_u-TnD3Eho4S5tjCgqvvAvmyu5xscJqrXup0JpMj-uRJqRqhgHdNHuVq4HcZkazzP8VuBVPh9FYzFsebrshwU=@protonmail.ch>
In-Reply-To: <2ed32cc3-ab80-7a0c-58c2-152bee067f7a@netfence.it>
References:  <d81ae160-44c1-693d-f97b-abb1830b0c48@netfence.it> <20190326.195821.2023506369953085466.yasu@utahime.org> <2ed32cc3-ab80-7a0c-58c2-152bee067f7a@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Tuesday 26 March 2019 14:45, Andrea Venturoli <ml@netfence.it> wrote:

> On 3/26/19 11:58 AM, Yasuhiro KIMURA wrote:
>
> > What server application you use?
>
> I use Let's Encrypt certificates in Apache's HTTPd, sendmail,
> cyrus-imap, etc...
> However, this is not relevant here: I'm talking about FreeBSD as a
> client and not necessarily connecting to "my" servers.
>
> > Let's Encrypt Authority X3 is signed by DST Root CA X3.
>
> Ok.
>
> > And DST Root CA X3 is included in security/ca_root_nss.
>
> Right again: I did not notice this.
>
> > So if you configured server application
> > properly it should be able to use server sertificates issued by Let's
> > Encrypt.
>
> Again, it's not a server problem, but rather a client program.
>
> It works now, even if I didn't change anything!!!
> I don't know what happened really... several sites were not working, but
> they are reachable again.
>
> Thanks anyway and sorry for the noise!
>
> bye
> av.

I sometimes experienced similar strange behaviors with certificates.
I do not know very well how certificates work, but I think time is a factor
and if responses arrive too late the certificate is not correctly recognize=
d
(please, be patient if I'm wrong, my knowledge on the topic is vague).

I notice that we are both from Italy: I wonder if the problem is that our
connections sometimes are too slow to have certificates work correctly.

Lorenzo Salvadore.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B8Wa10TGEw-pmRp3BoVybt_u-TnD3Eho4S5tjCgqvvAvmyu5xscJqrXup0JpMj-uRJqRqhgHdNHuVq4HcZkazzP8VuBVPh9FYzFsebrshwU=>