Date: Fri, 2 Jun 2017 11:15:20 +0800 From: Jov <zhao6014@gmail.com> To: Marcin Cieslak <saper@saper.info> Cc: Freddie Cash <fjwcash@gmail.com>, FreeBSD Ports Mailing List <ports@freebsd.org> Subject: Re: Hosting distfiles on HTTPS w/Let's Encrypt - how? Message-ID: <CADyrUxNfPatd2L=VKZdYAa_Q2gHtAdAGkSA=Wh1ZD4zkp4TV4w@mail.gmail.com> In-Reply-To: <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb> References: <nycvar.OFS.7.76.1705312355300.37923@z.fncre.vasb> <CADyrUxPNzd_49dxg0yfjEC8vjb-OgqOCnVZQTjDM3wJ9D2bcnQ@mail.gmail.com> <nycvar.OFS.7.76.1706012303400.58953@z.fncre.vasb> <CAOjFWZ4evDm_tMos2BZhGBZMiNLrVUMTubFRS_rDuCqo=d=sDQ@mail.gmail.com> <nycvar.OFS.7.76.1706020205380.65985@z.fncre.vasb>
next in thread | previous in thread | raw e-mail | index | archive | help
what's your /etc/ssl/cert.pem? mine is: ls -l /etc/ssl/cert.pem lrwxr-xr-x 1 root wheel 38 4=E6=9C=88 29 09:15 /etc/ssl/cert.pem@ -> /usr/local/share/certs/ca-root-nss.crt you can use this command to get more ssl connection info: openssl s_client -connect <your_domain>:443 Jov blog: http:amutu.com/blog 2017-06-02 10:13 GMT+08:00 Marcin Cieslak <saper@saper.info>: > On Thu, 1 Jun 2017, Freddie Cash wrote: > > > In your web server configuration, are you using the Let's Encrypt > cert.pem > > or fullchain.pem? > > fullchain.pem > > > If you use the former, then any client that doesn't have the DST Root C= A > > pre-installed will error out. The latest versions of browsers will work= , > as > > they include the DST Root CA. > > My fullchain.pem as delivered by dehydrated does not include the DST Root > CA. > > > If you use the latter, then it will just work, as the server will send > all > > the intermediate certificate info needed to reach the root. > > To test this theory, I have added DST Root CA to my customized > fullchain.pem > which now contains: > > Certificate chain > 0 s:/CN=3Dmarcincieslak.com > i:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 > > 1 s:/C=3DUS/O=3DLet's Encrypt/CN=3DLet's Encrypt Authority X3 > i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 > > 2 s:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 > i:/O=3DDigital Signature Trust Co./CN=3DDST Root CA X3 > > so now we have "DST Root CA X3" extra. > > And the result is: > > =3D> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93. > =3D> Attempting to fetch https://distfile.net/local- > ports-distfiles/INIT.2014-12-24.tgz > Certificate verification failed for /O=3DDigital Signature Trust Co./CN= =3DDST > Root CA X3 > 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certi= ficate > verify failed:/usr/src/secure/lib/libssl/../../../crypto/ > openssl/ssl/s3_clnt.c:1264: > fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: > Authentication error > =3D> Attempting to fetch http://distcache.FreeBSD.org/ > ports-distfiles/ksh93/INIT.2014-12-24.tgz > fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT. > 2014-12-24.tgz: Not Found > > so it cannot validate "DST Root CA X3" now, because it does not have the > pre-installed CA bundle. > > > Marcin Cie=C5=9Blak
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADyrUxNfPatd2L=VKZdYAa_Q2gHtAdAGkSA=Wh1ZD4zkp4TV4w>