On 12/28/2015 01:54 PM, Jussi Pakkanen wrote:
Currently trying to connect to a server that has letsencrypt enabled
will fail. For example this command:
wget https://wrapdb.mesonbuild.com
will error out saying that the certificate is not trusted because it has
no known issuer. The connection will validate properly on e.g. newest
versions of Firefox and Chrome.
The example site does *not* validate on the latest release (as of reply)
of Firefox 43.0.3.
Chrome 47.0.2526.106 validates the site OK, and the intermediate appears
to be signed by an Identrust root:
CN = DST Root CA X3
I'm pretty sure that Chrome does some known intermediate certificate
magic for mis-configured sites that do not properly send the
intermediate. I'm not 100% sure, but I think this is your possible
issue. Firefox not validating leads me to believe the same.
`openssl s_client -CApath /etc/ssl/certs -connect
wrapdb.mesonbuild.com:443` shows the cert for wrapdb.mesonbuild.com,
issued by CN=Let's Encrypt Authority X1, but no intermediate, which is
cross-signed by DST Root CA X3 and should validate properly with the
current ca-certificates, if the web server gave it to us.
DST Root CA X3 was included in NSS long ago, and ca-certificates does
contain this root certificate as of version 20080411.
Send the right intermediate from the web server and it should "Just Work".
As for adding the ISRG root to ca-certificates, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1204656
It'll happen when it happens :)
--
Kind regards,
Michael
