Hosting distfiles on HTTPS w/Let's Encrypt - how?
Marcin Cieslak
saper at saper.info
Thu Jun 1 00:01:00 UTC 2017
Hello,
I have posted my port's local distfiles to a machine
that is serving them with SSL behind the Let's Encrypt
certificate (https://distfile.net). This is SSL-only.
However, poudriere fails on certificate check when trying
to fetch it:
=======================<phase: check-sanity >============================
===> License EPL accepted by the user
===========================================================================
=======================<phase: pkg-depends >============================
===> ksh93-20160716 depends on file: /usr/local/sbin/pkg - not found
===> Installing existing package /packages/All/pkg-1.10.1.txz
[ksh-test-amd64-exp-job-01] Installing pkg-1.10.1...
[ksh-test-amd64-exp-job-01] Extracting pkg-1.10.1: .......... done
===> ksh93-20160716 depends on file: /usr/local/sbin/pkg - found
===> Returning to build of ksh93-20160716
===========================================================================
=======================<phase: fetch-depends >============================
===========================================================================
=======================<phase: fetch >============================
===> License EPL accepted by the user
=> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
=> Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz
fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: Not Found
=> Couldn't fetch it - please try to retrieve this
=> port manually into /portdistfiles/ksh93 and try again.
*** Error code 1
What is the best solution here?
so I really have to add security/ca_root_nss (... and perl)
as a fetch dependency? Any other solution?
A quick look at bsd.sites.mk shows that we have some https-only distfile
sources.
Marcin Cieślak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20170601/d9ee4bd9/attachment.bin>
More information about the freebsd-ports
mailing list