what's your /etc/ssl/cert.pem? mine is: ls -l /etc/ssl/cert.pem lrwxr-xr-x 1 root wheel 38 4月 29 09:15 /etc/ssl/cert.pem@ -> /usr/local/share/certs/ca-root-nss.crt
you can use this command to get more ssl connection info: openssl s_client -connect <your_domain>:443 Jov blog: http:amutu.com/blog 2017-06-02 10:13 GMT+08:00 Marcin Cieslak <sa...@saper.info>: > On Thu, 1 Jun 2017, Freddie Cash wrote: > > > In your web server configuration, are you using the Let's Encrypt > cert.pem > > or fullchain.pem? > > fullchain.pem > > > If you use the former, then any client that doesn't have the DST Root CA > > pre-installed will error out. The latest versions of browsers will work, > as > > they include the DST Root CA. > > My fullchain.pem as delivered by dehydrated does not include the DST Root > CA. > > > If you use the latter, then it will just work, as the server will send > all > > the intermediate certificate info needed to reach the root. > > To test this theory, I have added DST Root CA to my customized > fullchain.pem > which now contains: > > Certificate chain > 0 s:/CN=marcincieslak.com > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > > 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > > so now we have "DST Root CA X3" extra. > > And the result is: > > => INIT.2014-12-24.tgz doesn't seem to exist in /portdistfiles/ksh93. > => Attempting to fetch https://distfile.net/local- > ports-distfiles/INIT.2014-12-24.tgz > Certificate verification failed for /O=Digital Signature Trust Co./CN=DST > Root CA X3 > 34374329736:error:14090086:SSL > routines:ssl3_get_server_certificate:certificate > verify failed:/usr/src/secure/lib/libssl/../../../crypto/ > openssl/ssl/s3_clnt.c:1264: > fetch: https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz: > Authentication error > => Attempting to fetch http://distcache.FreeBSD.org/ > ports-distfiles/ksh93/INIT.2014-12-24.tgz > fetch: http://distcache.FreeBSD.org/ports-distfiles/ksh93/INIT. > 2014-12-24.tgz: Not Found > > so it cannot validate "DST Root CA X3" now, because it does not have the > pre-installed CA bundle. > > > Marcin Cieślak _______________________________________________ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
