Hosting distfiles on HTTPS w/Let's Encrypt - how?
Freddie Cash
fjwcash at gmail.com
Fri Jun 2 01:20:32 UTC 2017
On Jun 1, 2017 4:06 PM, "Marcin Cieslak" <saper at saper.info> wrote:
On Thu, 1 Jun 2017, Jov wrote:
> can you dowload the file distfiles/INIT.2014-12-24.tgz
> <https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz> using
> browser such as chrome?
Yes, Firefox, IE11, no certificate warnings.
> be sure to use full chain cert file,I rember I had similar problem and use
> full chain cert fixed.
(Without the root CA):
Certificate chain
0 s:/CN=marcincieslak.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
How should fetch know that "=Digital Signature Trust Co./CN=DST Root CA X3"
is
a valid CA if none have been installed?
Marcin Cieślak
In your web server configuration, are you using the Let's Encrypt cert.pem
or fullchain.pem?
If you use the former, then any client that doesn't have the DST Root CA
pre-installed will error out. The latest versions of browsers will work, as
they include the DST Root CA.
If you use the latter, then it will just work, as the server will send all
the intermediate certificate info needed to reach the root.
Cheers,
Freddie
More information about the freebsd-ports
mailing list