FreeBSD Mail Archives

Date:      Fri, 2 Jun 2017 02:13:50 +0000
From:      Marcin Cieslak <saper@saper.info>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        FreeBSD Ports Mailing List <ports@freebsd.org>, Jov <zhao6014@gmail.com>
Subject:   Re: Hosting distfiles on HTTPS w/Let's Encrypt - how?
Message-ID:  <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb>
In-Reply-To: <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com>
References:  <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com>


[-- Attachment #1 --]
On Thu, 1 Jun 2017, Freddie Cash wrote:

> In your web server configuration, are you using the Let's Encrypt cert.pem
> or fullchain.pem?

fullchain.pem

> If you use the former, then any client that doesn't have the DST Root CA
> pre-installed will error out. The latest versions of browsers will work, as
> they include the DST Root CA.

My fullchain.pem as delivered by dehydrated does not include the DST Root CA.

> If you use the latter, then it will just work, as the server will send all
> the intermediate certificate info needed to reach the root.

To test this theory, I have added DST Root CA to my customized fullchain.pem
which now contains:

Certificate chain
 0 s:/CN=marcincieslak.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

so now we have "DST Root CA X3" extra.

And the result is:

=> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
=> Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz
fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: Not Found

so it cannot validate "DST Root CA X3" now, because it does not have the pre-installed CA bundle.


Marcin Cie�lak
[-- Attachment #2 --]
0�K	*�H��
��<0�810
	`�He0	*�H��
��
�0��0��Hj�D��\�=�H
0
	*�H��
0L1 0UGlobalSign Root CA - R310U

GlobalSign10U
GlobalSign0
160615000000Z
240615000000Z0]10	UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G30�"0
	*�H��
�0�
�ʰ�kM
8���}����feA};���1�M<��&����8d;r�T��\�dEބq�����N�U�{�ܣx
����I��j�:+�j���;���P@��q3D�G>#cj�	�l1�y��Ɔ���:4���3�A,D�����Pi�\���d�R0�*��[�x=KtL@Dʢ�������.(�C�u��͓�(؟��P��Fy�xx�i�2�6����t���AY��w;�>eYM�#��x���d0�`0U�0'U% 0+++	0U�0�0U�'�¥��zzd�co2Ҙ±0U#0���K�.E$�MP�c������0>+2000.+0�"http://ocsp2.globalsign.com/rootr306U/0-0+�)�'�%http://crl.globalsign.com/root-r3.crl0YU R0P0	+�2(0A	+�2_0402+&https://www.globalsign.com/repository/0
	*�H��
���w����F�|���N�R�,�O����̑�wب��kE��oB"�s)!YbUy\�a�،Ğ8��w����Ir�ۅ��J�mϦ��Pa9����
Q_��� A��� Mz%�-Mmf!=�EL8Tf���P&�G�)\�`���9\(����#���$��v�.O�l�V�G�׷�c V�iVC7�_)P�{�Y��XDHKr˟*˜�2:����
q�4wt�������\��I���$
��ϱ�.jp!?�0��0�٠N{�a��9��0
	*�H��
0]10	UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G30
170525084416Z
200525084416Z0<10Usaper@saper.info10	*�H��
	saper@saper.info0�"0
	*�H��
�0�
��÷in���Y���cY��uF���p��\اtyc@���/�W<���lL�\@.����k�W�W�3Ø�٤�&55�I�N�1�������5��P���Qd����w���]�,��(�;p.����.���3E����� }����zgA�N�3��̑�m���\��'��I�R�"�@���{����d֘P�$��'�ɹ��S�x�i~"�5�H���
�dA �!ڲ�Q����i-�̓���[73�zB�&T�g��ˆ�P���?c��
V+j�AT{'�du�sѧS]\be�3p'�	F=xG�6_�{<8�([������ݤ�2��+,�+�Jr���+z�!�Y%!-��
��gA���J5*X��o���c -�!�
����,�x��r)��b �ֆ�T7�w9z�������͝�YI�Vp�N������o����U��`�A�le�@�ε�L��[�b-t�=lJ)����m�����I��#�������0��0U��0��+��0��0M+0�Ahttp://secure.globalsign.com/cacert/gspersonalsign1sha2g3ocsp.crt0=+0�1http://ocsp2.globalsign.com/gspersonalsign1sha2g30LU E0C0A	+�2(0402+&https://www.globalsign.com/repository/0	U00DU=0;09�7�5�3http://crl.globalsign.com/gspersonalsign1sha2g3.crl0U0�saper@saper.info0U%0++0U^�ZB���¬��(��F0U#0��'�¥��zzd�co2Ҙ±0
	*�H��
�EJ��2J���y��N*�W�m{*����8��_�f�E�e��`&�t���4�C�$Z��$Ԅ�;׈�&�nU`s��'{0���iE��D,���WʍI8�LN�)-�ߓf�ū,��w��mm�θ���h��W��o�bLfLp��I�����k��%,7kdA�_�
@�ֵ@ȇ�DA�W��-���oj;i�ړ|̠��|�HZ���Z�w��_���GX)Fq���j�����sʵ3Ķ�u�埰��1�0�{0m0]10	UBE10U
GlobalSign nv-sa1301U*GlobalSign PersonalSign 1 CA - SHA256 - G3N{�a��9��0
	`�He���0	*�H��
	1	*�H��
0	*�H��
	1
170602021350Z0/	*�H��
	1" +���������D��
��.�Ed�B<��S/�0y	*�H��
	1l0j0	`�He*0	`�He0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0
	*�H��
��s�H3TP^\��?��(Х8��db��U�&}J��Z�*ea����I��w���B
9��xC�����r�]9Ͻ�*�������F�n��0((���x$5��D|�Ax�GҲ�s����Ʉ���M@3Vh�:�{K(�Y����av��۴X���Yɱڔt��_@�6afW�2�^�q�>���w/�0��G�<�t�~�T�t��k,�i4��s
X0ߥ�����QKk��Q�8�I��A77عQ�杦H�ђL��&�3"{��	�h0�d��S(�/+���'����t��Ś�5��EJO�uġ��U�j�Q�;y��7�:�Z�ɆF�P� y{�mZZNV��>�-j�b���m
ŝ|(�Ȥ2/>��?�䭹qb鎐*g�Gv��+���G֮Ffk7�(���P�ї���b�h�~�u''�	 �esL
�L7�p�xliI��o��j��{�Kț����d5�c�U,x�Bm�c��h�~w��8��[��

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?nycvar.OFS.7.76.1706020205380.65985>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation