Hosting distfiles on HTTPS w/Let's Encrypt - how?

Adam Weinberger adamw at adamw.org
Fri Jun 2 04:34:00 UTC 2017 

> On 1 Jun, 2017, at 21:15, Jov <zhao6014 at gmail.com> wrote:
> 
> what's your /etc/ssl/cert.pem?
> mine is:
> ls -l /etc/ssl/cert.pem
> lrwxr-xr-x  1 root  wheel  38  4月 29 09:15 /etc/ssl/cert.pem@ ->
> /usr/local/share/certs/ca-root-nss.crt
> 
> you can use this command to get more ssl connection info:
> openssl s_client -connect <your_domain>:443

I've tried fetching a distfile from my own server (which uses a Let's Encrypt cert) and it fetches fine in a poudriere jail. I'm suspecting that there's something unusual in your web server's SSL configuration, or in how you're generating your LE cert. Do you have any interesting arguments that you're giving dehydrated or your web server?

# Adam


-- 
Adam Weinberger
adamw at adamw.org
https://www.adamw.org



> 
> Jov
> blog: http:amutu.com/blog
> 
> 2017-06-02 10:13 GMT+08:00 Marcin Cieslak <saper at saper.info>:
> 
>> On Thu, 1 Jun 2017, Freddie Cash wrote:
>> 
>>> In your web server configuration, are you using the Let's Encrypt
>> cert.pem
>>> or fullchain.pem?
>> 
>> fullchain.pem
>> 
>>> If you use the former, then any client that doesn't have the DST Root CA
>>> pre-installed will error out. The latest versions of browsers will work,
>> as
>>> they include the DST Root CA.
>> 
>> My fullchain.pem as delivered by dehydrated does not include the DST Root
>> CA.
>> 
>>> If you use the latter, then it will just work, as the server will send
>> all
>>> the intermediate certificate info needed to reach the root.
>> 
>> To test this theory, I have added DST Root CA to my customized
>> fullchain.pem
>> which now contains:
>> 
>> Certificate chain
>> 0 s:/CN=marcincieslak.com
>>   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>> 
>> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>>   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>> 
>> 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
>>   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
>> 
>> so now we have "DST Root CA X3" extra.
>> 
>> And the result is:
>> 
>> => INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
>> => Attempting to fetch https://distfile.net/local-
>> ports-distfiles/INIT.2014-12-24.tgz
>> Certificate verification failed for /O=Digital Signature Trust Co./CN=DST
>> Root CA X3
>> 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>> verify failed:/usr/src/secure/lib/libssl/../../../crypto/
>> openssl/ssl/s3_clnt.c:1264:
>> fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz:
>> Authentication error
>> => Attempting to fetch http://distcache.FreeBSD.org/
>> ports-distfiles/ksh93/INIT.2014-12-24.tgz
>> fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.
>> 2014-12-24.tgz: Not Found
>> 
>> so it cannot validate "DST Root CA X3" now, because it does not have the
>> pre-installed CA bundle.
>> 
>> 
>> Marcin Cieślak
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"

More information about the freebsd-ports mailing list