On Thu, 1 Jun 2017, Freddie Cash wrote: > In your web server configuration, are you using the Let's Encrypt cert.pem > or fullchain.pem?
fullchain.pem > If you use the former, then any client that doesn't have the DST Root CA > pre-installed will error out. The latest versions of browsers will work, as > they include the DST Root CA. My fullchain.pem as delivered by dehydrated does not include the DST Root CA. > If you use the latter, then it will just work, as the server will send all > the intermediate certificate info needed to reach the root. To test this theory, I have added DST Root CA to my customized fullchain.pem which now contains: Certificate chain 0 s:/CN=marcincieslak.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 so now we have "DST Root CA X3" extra. And the result is: => INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93. => Attempting to fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34374329736:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1264: fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: Authentication error => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT.2014-12-24.tgz: Not Found so it cannot validate "DST Root CA X3" now, because it does not have the pre-installed CA bundle. Marcin Cieślak
smime.p7s
Description: S/MIME Cryptographic Signature