security/ca_root_nss missing Let's Encrypt X3 certificate
Yasuhiro KIMURA
yasu at utahime.org
Tue Mar 26 11:00:36 UTC 2019
From: Andrea Venturoli <ml at netfence.it>
Subject: security/ca_root_nss missing Let's Encrypt X3 certificate
Date: Tue, 26 Mar 2019 11:16:51 +0100
> I'm having trouble connecting (e.g. with fetch) to TLS servers which
> are using a Let's Encrypt certificate.
>
> The exact message depends on the client I use, but it goes along this
> line:
>>Protocol error (TLS code:
>>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>>SSL Certficate error: certificate issuer (CA) not known:
>> /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
What server application you use? Let's Encrypt Authority X3 is signed
by DST Root CA X3. And DST Root CA X3 is included in
security/ca_root_nss. So if you configured server application
properly it should be able to use server sertificates issued by Let's
Encrypt.
For example
* Web page of FreeBSD Project (https://www.freebsd.org/) uses server
sertificates issued by Let's Encrypt.
* If security/ca_root_nss is installed fetch(1) uses it as CA
certificate.
* fetch(1) can access web page of FreeBSD Project successfully as
following.
yasu at eastasia[2017]% fetch -v -o /dev/null https://www.freebsd.org/
resolving server address: www.freebsd.org:443
SSL options: 82004854
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-RSA-CHACHA20-POLY1305
Certificate subject: /CN=www.freebsd.org
Certificate issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
requesting https://www.freebsd.org/
remote size / mtime: 25662 / 1553597683
/dev/null 25 kB 134 kBps 00s
yasu at eastasia[2018]%
---
Yasuhiro KIMURA
More information about the freebsd-questions
mailing list