Hosting distfiles on HTTPS w/Let's Encrypt - how? [somehow solved]
Marcin Cieslak
saper at saper.info
Sun Jun 4 21:48:05 UTC 2017
On Thu, 1 Jun 2017, Marcin Cieslak wrote:
> => Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
> Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
> fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error
My temporary solution to this problem is to pin the CA certificate in the port itself:
commit 7eec5787c09565b0b2dfc4b2cee176c8509474b2
Author: Marcin Cieślak <saper at saper.info>
Date: Sun Jun 4 21:31:22 2017 +0000
Hardwire CA certificate to facilitate HTTPS downloads
Ports do not have a public key infrastructure to facilitate
ports that need to be fetched using https only.
So we hardcode a root certificate used by Let's Encrypt
for now.
diff --git a/shells/ksh93/Makefile b/shells/ksh93/Makefile
index 10f826c..c1ddef2 100644
--- a/shells/ksh93/Makefile
+++ b/shells/ksh93/Makefile
@@ -24,7 +24,7 @@ LICENSE= EPL
OPTIONS_DEFINE= EXAMPLES STATIC
-FETCH_ENV= HTTP_AUTH=basic:*:I\ accept\ www.opensource.org/licenses/cpl:.
+FETCH_ARGS+= --ca-cert="${FILESDIR}/dst_root_ca_x3.crt"
LDFLAGS+= -lm
MAKE_ENV= CCFLAGS="${CFLAGS}"
NO_WRKSUBDIR= yes
diff --git a/shells/ksh93/files/dst_root_ca_x3.crt b/shells/ksh93/files/dst_root_ca_x3.crt
new file mode 100644
index 0000000..e2bd36f
--- /dev/null
+++ b/shells/ksh93/files/dst_root_ca_x3.crt
@@ -0,0 +1,22 @@
+subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
+issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
https://github.com/saper/ports-exp/commit/7eec5787c09565b0b2dfc4b2cee176c8509474b2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20170604/070336dd/attachment.bin>
More information about the freebsd-ports
mailing list