Hosting distfiles on HTTPS w/Let's Encrypt - how?

Marcin Cieslak saper at
Fri Jun 2 02:13:54 UTC 2017

On Thu, 1 Jun 2017, Freddie Cash wrote:

> In your web server configuration, are you using the Let's Encrypt cert.pem
> or fullchain.pem?


> If you use the former, then any client that doesn't have the DST Root CA
> pre-installed will error out. The latest versions of browsers will work, as
> they include the DST Root CA.

My fullchain.pem as delivered by dehydrated does not include the DST Root CA.

> If you use the latter, then it will just work, as the server will send all
> the intermediate certificate info needed to reach the root.

To test this theory, I have added DST Root CA to my customized fullchain.pem
which now contains:

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

so now we have "DST Root CA X3" extra.

And the result is:

=> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
=> Attempting to fetch
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: Authentication error
=> Attempting to fetch
fetch: Not Found

so it cannot validate "DST Root CA X3" now, because it does not have the pre-installed CA bundle.

Marcin Cieślak
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the freebsd-ports mailing list