Hosting distfiles on HTTPS w/Let's Encrypt - how?

Marcin Cieslak saper at saper.info
Fri Jun 2 02:13:54 UTC 2017


On Thu, 1 Jun 2017, Freddie Cash wrote:

> In your web server configuration, are you using the Let's Encrypt cert.pem
> or fullchain.pem?

fullchain.pem

> If you use the former, then any client that doesn't have the DST Root CA
> pre-installed will error out. The latest versions of browsers will work, as
> they include the DST Root CA.

My fullchain.pem as delivered by dehydrated does not include the DST Root CA.

> If you use the latter, then it will just work, as the server will send all
> the intermediate certificate info needed to reach the root.

To test this theory, I have added DST Root CA to my customized fullchain.pem
which now contains:

Certificate chain
 0 s:/CN=marcincieslak.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

so now we have "DST Root CA X3" extra.

And the result is:

=> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
=> Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz
fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: Not Found

so it cannot validate "DST Root CA X3" now, because it does not have the pre-installed CA bundle.


Marcin Cieślak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20170602/82f1d5d3/attachment.bin>


More information about the freebsd-ports mailing list