Hosting distfiles on HTTPS w/Let's Encrypt - how?

Jov zhao6014 at gmail.com
Fri Jun 2 03:15:42 UTC 2017 

what's your /etc/ssl/cert.pem?
mine is:
ls -l /etc/ssl/cert.pem
lrwxr-xr-x  1 root  wheel  38  4月 29 09:15 /etc/ssl/cert.pem@ ->
/usr/local/share/certs/ca-root-nss.crt

you can use this command to get more ssl connection info:
openssl s_client -connect <your_domain>:443

Jov
blog: http:amutu.com/blog

2017-06-02 10:13 GMT+08:00 Marcin Cieslak <saper at saper.info>:

> On Thu, 1 Jun 2017, Freddie Cash wrote:
>
> > In your web server configuration, are you using the Let's Encrypt
> cert.pem
> > or fullchain.pem?
>
> fullchain.pem
>
> > If you use the former, then any client that doesn't have the DST Root CA
> > pre-installed will error out. The latest versions of browsers will work,
> as
> > they include the DST Root CA.
>
> My fullchain.pem as delivered by dehydrated does not include the DST Root
> CA.
>
> > If you use the latter, then it will just work, as the server will send
> all
> > the intermediate certificate info needed to reach the root.
>
> To test this theory, I have added DST Root CA to my customized
> fullchain.pem
> which now contains:
>
> Certificate chain
>  0 s:/CN=marcincieslak.com
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>
>  2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>
> so now we have "DST Root CA X3" extra.
>
> And the result is:
>
> => INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
> => Attempting to fetch https://distfile.net/local-
> ports-distfiles/INIT.2014-12-24.tgz
> Certificate verification failed for /O=Digital Signature Trust Co./CN=DST
> Root CA X3
> 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate
> verify failed:/usr/src/secure/lib/libssl/../../../crypto/
> openssl/ssl/s3_clnt.c:1264:
> fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz:
> Authentication error
> => Attempting to fetch http://distcache.FreeBSD.org/
> ports-distfiles/ksh93/INIT.2014-12-24.tgz
> fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.
> 2014-12-24.tgz: Not Found
>
> so it cannot validate "DST Root CA X3" now, because it does not have the
> pre-installed CA bundle.
>
>
> Marcin Cieślak

More information about the freebsd-ports mailing list