On Thu, 1 Jun 2017, Freddie Cash wrote:

> In your web server configuration, are you using the Let's Encrypt cert.pem
> or fullchain.pem?

fullchain.pem

> If you use the former, then any client that doesn't have the DST Root CA
> pre-installed will error out. The latest versions of browsers will work, as
> they include the DST Root CA.

My fullchain.pem as delivered by dehydrated does not include the DST Root CA.

> If you use the latter, then it will just work, as the server will send all
> the intermediate certificate info needed to reach the root.

To test this theory, I have added DST Root CA to my customized fullchain.pem
which now contains:

Certificate chain
 0 s:/CN=marcincieslak.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

so now we have "DST Root CA X3" extra.

And the result is:

=> INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93.
=> Attempting to fetch 
https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root 
CA X3
34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate 
verify 
failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264:
fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: 
Authentication error
=> Attempting to fetch 
http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz
fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: 
Not Found

so it cannot validate "DST Root CA X3" now, because it does not have the 
pre-installed CA bundle.


Marcin Cieślak

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to