Hosting distfiles on HTTPS w/Let's Encrypt - how?

Freddie Cash fjwcash at
Fri Jun 2 01:20:32 UTC 2017

On Jun 1, 2017 4:06 PM, "Marcin Cieslak" <saper at> wrote:

On Thu, 1 Jun 2017, Jov wrote:

> can you dowload the file distfiles/INIT.2014-12-24.tgz
> <> using
> browser such as chrome?

Yes, Firefox, IE11, no certificate warnings.

> be sure to use full chain cert file,I rember I had similar problem and use
> full chain cert fixed.

(Without the root CA):

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

How should fetch know that "=Digital Signature Trust Co./CN=DST Root CA X3"
a valid CA if none have been installed?

Marcin Cieślak

In your web server configuration, are you using the Let's Encrypt cert.pem
or fullchain.pem?

If you use the former, then any client that doesn't have the DST Root CA
pre-installed will error out. The latest versions of browsers will work, as
they include the DST Root CA.

If you use the latter, then it will just work, as the server will send all
the intermediate certificate info needed to reach the root.


More information about the freebsd-ports mailing list