Date: Fri, 2 Jun 2017 07:06:43 +0000 From: Marcin Cieslak <saper@saper.info> To: Adam Weinberger <adamw@adamw.org> Cc: Jov <zhao6014@gmail.com>, FreeBSD Ports Mailing List <ports@freebsd.org>, Freddie Cash <fjwcash@gmail.com> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? Message-ID: <nycvar.OFS.7.76.1706020642290.65985@z.fncre.vasb> In-Reply-To: <9D4AA628-1BB2-42DA-860E-829C8C3390FD@adamw.org> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb> <CADyrUxNfPatd2L=VKZdYAa_Q2gHtAdAGkSA=Wh1ZD4zkp4TV4w@mail.gmail.com> <9D4AA628-1BB2-42DA-860E-829C8C3390FD@adamw.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--1563967779-157018144-1496387203=:65985 Content-Type: text/plain; charset=US-ASCII On Thu, 1 Jun 2017, Adam Weinberger wrote: > I've tried fetching a distfile from my own server (which uses a Let's Encrypt cert) and it fetches fine in a poudriere jail. I'm suspecting that there's something unusual in your web server's SSL configuration, or in how you're generating your LE cert. Do you have any interesting arguments that you're giving dehydrated or your web server? The only unusual thing in my certificate is that CN belongs to another domain and the domain in question is listed in the subjectAltName along with a primary. On a system with certificate bundle installed the following works fine: fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz My port (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211164) has barely any dependencies, and there is no certificate bundle in the jail. Adam - can you check if something installs NSS CA roots as a dependency in your jail? I think I understand what happens - bare FreeBSD installation has no CA bundles, therefore fetch cannot really do https. Most ports work either because one of the dependencies installs ca root nss or they have a plain HTTP fallback (from distcache if need be). My distfiles are brand new and the distcache does not know them, not there is any HTTP fallback. The question is: do we silently require at least one unencrypted HTTP or FTP distfile source? If not, what should be done to bootstrap certificates for fetch - include somme roots in base, turn off certificate validation, other options? Marcin --1563967779-157018144-1496387203=:65985 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: BASE64 Content-Description: S/MIME Cryptographic Signature Content-Disposition: attachment; filename=smime.p7s MIIOSwYJKoZIhvcNAQcCoIIOPDCCDjgCAQExDzANBglghkgBZQMEAgEFADAL BgkqhkiG9w0BBwGgggqQMIIElzCCA3+gAwIBAgIOSBtqCKJEiNNcmz3JSA0w DQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp Z24wHhcNMTYwNjE1MDAwMDAwWhcNMjQwNjE1MDAwMDAwWjBdMQswCQYDVQQG EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xv YmFsU2lnbiBQZXJzb25hbFNpZ24gMSBDQSAtIFNIQTI1NiAtIEczMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyrCba00KOKyGuwh9h+/MAcZm ZUF9OxGKA56AADHaDE08rB0WEbgm6J4XvJP3OGQ7cgHdVJu6XMZkRd6EcfjD yRrIwE6oAVWJe57co3gKk/XxvuubSZuUahrcOiv3D2qaHwva4zumubxQQI4f unEzRIJHPiNjaq0cCcZsMcp5pxsEz8aG0sr8Oh80sxKNnzPmuUETLESktfMC pQKHUGmWXLsG6sgCZOezUjDjKpPKW7l4PUt0TEBEyqLhifv9/YPn5C4o10PP daDazZPeKNif2PVQ5u0HRnkFrHh4wmmrMtY22Mse3eR01gD6rEEGWf+gdzuy EQE+ZVlNhCP4gXjdBQIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMCcG A1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwkwEgYDVR0T AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlifCwqX3HPgCenpkr2NvMtKYwrEw HwYDVR0jBBgwFoAUj/BLf6guRSSuTVD6Y5qL3uLdG7wwPgYIKwYBBQUHAQEE MjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20v cm9vdHIzMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2ln bi5jb20vcm9vdC1yMy5jcmwwWQYDVR0gBFIwUDALBgkrBgEEAaAyASgwQQYJ KwYBBAGgMgFfMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNp Z24uY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCxh3ekjKKy RrUdfI6D1U7qUggdFLksiU+KiIqJzJG6GXcQ2KiBy2tF3+KYb0IixXMpIVli VXlcD5Vh4tiMxJ4WONMFt3f7/53gSXLf24WMwErubc+mGMzgUGE5HKC98PcK UV/5pPggQdzPxCBNeiXnLU1tCGYhPatFTDhUBGaVhBeuUCbgR9gpXJ9guqrD OVwouKvovdIeI5KEAcoAAiSL6naeLk/GbKUaBFa2RxXC17e+YyBWtWlWDEM3 1V8pUIx76lkO8IJYREhLcg/LnyoYy5wcrzI6pbX2vw1x/jR3GHSC1AEdoqbE xui2XLLlSa6y9yQNgdkPz7GTLmpwIT+dMIIF8TCCBNmgAwIBAgIMGk4Oe/1h 2+wMOby/MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIFBlcnNv bmFsU2lnbiAxIENBIC0gU0hBMjU2IC0gRzMwHhcNMTcwNTI1MDg0NDE2WhcN MjAwNTI1MDg0NDE2WjA8MRkwFwYDVQQDDBBzYXBlckBzYXBlci5pbmZvMR8w HQYJKoZIhvcNAQkBFhBzYXBlckBzYXBlci5pbmZvMIICIjANBgkqhkiG9w0B AQEFAAOCAg8AMIICCgKCAgEA2sO3aQNus/oe4ZBZ4fu1Y1mzxnUYAkb4k/dw gMFc2Kd0eRoOY0AHj4rTEi/vVzzizxjLbEwXzQ9cBEAu/PqS8WsOmhZXtlfi szPDmP7ZpOwmNTWKSd9O7jHu9uTCGfEOsocQNYH2ULD1gVFkgKb8jHf+3u9d uCzh6qMomTtwLrCGEP70Lq385xUzRaD6qbOeIB99tpzgvMR6Z0GPTt4z8tLM kfdtohq5llwZ5vYnj/hJohVS9iLMQMHW4nuLj/mLZNaYE1CWJBT1rBwn5YPJ uR6811O9eAP7aX4iG8k1jkiBh+QNgGRBIK4GIdqy7IVRhA7v2OlpLYHMk4zP 9Fs3M+56QromVKBnxfzLhuYMUK6ugj9jwskNVitqlEFUeyfgvmR1jnPRp1Nd XGJllTNwGicR8wkaRj14RxfrvTZfwXs8OBODKFupqun/tNzdpOgyHMGQACss 9yv2SnLGCJvJK3rGIdRZEiUhLZH/Ct4L92dBhev+SjUqWKbHb4yIlGMgLdoh nwqatuWw7iyOeInjcinX7ghiIKDWhulUN493Fzl6kaUBtIIcrb7jzZ2pHAQT WUmuVnCTHk6NtoWB09lvuK77fw4GfxLWDFWkBQiJYPVBrmxlrkCKzrWdTMfS W9BiEC10jT1sSimUBIjDz22RkfsApeBJoAIWjiOZogILu9MCAwEAAaOCAdAw ggHMMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYB BQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dz cGVyc29uYWxzaWduMXNoYTJnM29jc3AuY3J0MD0GCCsGAQUFBzABhjFodHRw Oi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25hbHNpZ24xc2hhMmcz MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAw RAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n c3BlcnNvbmFsc2lnbjFzaGEyZzMuY3JsMBsGA1UdEQQUMBKBEHNhcGVyQHNh cGVyLmluZm8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1Ud DgQWBBReBINaGUKUo7HCrIjsKLKERu6ooTAfBgNVHSMEGDAWgBSWJ8LCpfcc +AJ6emSvY28y0pjCsTANBgkqhkiG9w0BAQsFAAOCAQEAC0VK968ySq/6B+Kd ecjVThQOKtVXuG17Krfk0xz7OPYR/V+qZtBFm2Uc6tkUEmAmq3Tyf+SE3TTX Q58eJFq0uCTUhIY714ioJs1uVWBz8rPyJ3swkOfDaUXUxkQsBsf73VfKjUk4 kB5MTrApLYUe35NmEY3FqyyX13elhW1tp864vOKM2Git61cYoRn/bwd/z2JM Zkxwkd5JgvmM+p4Da+WO4CUsGzdrZEH8X/8NQIzWtUDIh7VEQZFX5fot/KvH Am8AajtpmNqTfMyg6LfcfJUXSFqXn/KEWu4Td62vX6Pd70dYKUZxnLwYvGqG A4Ktrp9zyrUzxLbmdaPln7CstjGCA38wggN7AgEBMG0wXTELMAkGA1UEBhMC QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2Jh bFNpZ24gUGVyc29uYWxTaWduIDEgQ0EgLSBTSEEyNTYgLSBHMwIMGk4Oe/1h 2+wMOby/MA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE3MDYwMjA3MDY0M1owLwYJKoZIhvcN AQkEMSIEIOIznzo9ZYFKwyITmOPEiJdCsawrdOxtY+jOgssTUV8MMHkGCSqG SIb3DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgB ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIC ADKlOJcFyv5Ik5JjWf22QH6qDTvojI9YJE1M8LekNKsueu0tuVQ9Rp8NZG2B Gmx0e0cDzWpovlYXe8jg54vG7cvBc4voqNK21U/flc5UTYyW3OBRb27pbfhN 91LMtt5u8sV3/z5He1crDGF/mCy04H6/qLXJuX/mcStOu8tjkrD9UjGueMBJ 1LSFEW9/U262qmJ4v6MhLaSh9K5iAlq9T7PZ4XWAYN6w3p/KD00wfkBGlzzj qZb9AF1uGyJqvhTYRT24/W++eyvTdVsDC3UeGqtJpkhaU4b6KJHRWEWlpFEF eAFrusboixfPZ65lW9Q1+W5dUtblX7ujnWxEh6zhW0ZGLvos+mot18pejmi0 qZWfovYjY8uL4g6iZ3IX0eGpAnTfAhjy2BvcW7aRHEWhFpdCUOAhJqufU6OF KqBLV226FqahyHp/cYCt5gxNQdHcYdeL6GcaWRIjBECImBJHQ/wGM5HMuYlv jJ9swmTjxJS8i0ZNso51T2crOgxN2+PeFV3blSbAvJMphh4bwakKThjld9Ng AYzllp7xOTPMvIyA/GenE6lAUEpc7w3KOraIyO1mGmKxGBKb5CeTVvKM/bDr m3wzZi52FwG0Cc8kGQ4dm3emEZ8nytLEu3aImu50xRXg4+pH1BekVjTvGem/ Y8bBuTbLcFrDYgbShDafXeKa --1563967779-157018144-1496387203=:65985--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1706020642290.65985>