Date: Thu, 1 Jun 2017 18:20:30 -0700 From: Freddie Cash <fjwcash@gmail.com> To: Marcin Cieslak <saper@saper.info> Cc: FreeBSD Ports Mailing List <ports@freebsd.org>, Jov <zhao6014@gmail.com> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? Message-ID: <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> In-Reply-To: <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 1, 2017 4:06 PM, "Marcin Cieslak" <saper@saper.info> wrote: On Thu, 1 Jun 2017, Jov wrote: > can you dowload the file distfiles/INIT.2014-12-24.tgz > <https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz>; using > browser such as chrome=EF=BC=9F Yes, Firefox, IE11, no certificate warnings. > be sure to use full chain cert file=EF=BC=8CI rember I had similar proble= m and use > full chain cert fixed. (Without the root CA): Certificate chain 0 s:/CN=3Dmarcincieslak.com i:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 1 s:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 How should fetch know that "=3DDigital Signature Trust Co./CN=3DDST Root CA= X3" is a valid CA if none have been installed? Marcin Cie=C5=9Blak In your web server configuration, are you using the Let's Encrypt cert.pem or fullchain.pem? If you use the former, then any client that doesn't have the DST Root CA pre-installed will error out. The latest versions of browsers will work, as they include the DST Root CA. If you use the latter, then it will just work, as the server will send all the intermediate certificate info needed to reach the root. Cheers, Freddie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ>