On Thu, 1 Jun 2017, Adam Weinberger wrote: > I've tried fetching a distfile from my own server (which uses a Let's Encrypt > cert) and it fetches fine in a poudriere jail. I'm suspecting that there's > something unusual in your web server's SSL configuration, or in how you're > generating your LE cert. Do you have any interesting arguments that you're > giving dehydrated or your web server?
The only unusual thing in my certificate is that CN belongs to another domain and the domain in question is listed in the subjectAltName along with a primary. On a system with certificate bundle installed the following works fine: fetch https://distfile.net/local-ports-distfiles/INIT.2014-12-24.tgz My port (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211164) has barely any dependencies, and there is no certificate bundle in the jail. Adam - can you check if something installs NSS CA roots as a dependency in your jail? I think I understand what happens - bare FreeBSD installation has no CA bundles, therefore fetch cannot really do https. Most ports work either because one of the dependencies installs ca root nss or they have a plain HTTP fallback (from distcache if need be). My distfiles are brand new and the distcache does not know them, not there is any HTTP fallback. The question is: do we silently require at least one unencrypted HTTP or FTP distfile source? If not, what should be done to bootstrap certificates for fetch - include somme roots in base, turn off certificate validation, other options? Marcin
smime.p7s
Description: S/MIME Cryptographic Signature
