Hosting distfiles on HTTPS w/Let's Encrypt - how?
Marcin Cieslak
saper at saper.info
Fri Jun 2 07:06:50 UTC 2017
On Thu, 1 Jun 2017, Adam Weinberger wrote:
> I've tried fetching a distfile from my own server (which uses a Let's Encrypt cert) and it fetches fine in a poudriere jail. I'm suspecting that there's something unusual in your web server's SSL configuration, or in how you're generating your LE cert. Do you have any interesting arguments that you're giving dehydrated or your web server?
The only unusual thing in my certificate is that CN belongs to another domain and the domain in question
is listed in the subjectAltName along with a primary.
On a system with certificate bundle installed the following works fine:
fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
My port (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211164) has barely any dependencies, and there is
no certificate bundle in the jail. Adam - can you check if something installs NSS CA roots as a dependency in your jail?
I think I understand what happens - bare FreeBSD installation has no CA bundles, therefore fetch cannot really
do https. Most ports work either because one of the dependencies installs ca root nss or they have a plain HTTP
fallback (from distcache if need be). My distfiles are brand new and the distcache does not know them, not there is
any HTTP fallback.
The question is: do we silently require at least one unencrypted HTTP or FTP distfile source?
If not, what should be done to bootstrap certificates for fetch - include somme roots in base,
turn off certificate validation, other options?
Marcin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20170602/b7fe89d4/attachment.bin>
More information about the freebsd-ports
mailing list