Re: how do I debug this? any hints?

jrmu Sun, 11 Aug 2024 08:30:14 -0700

Searching for .fullchain.pem first before .crt would be a great help, it
best matches the naming conventions used in the
/etc/example/acme-client.conf


-- 
jrmu
IRCNow (https://ircnow.org)

On Sun, Aug 11, 2024 at 12:44:40PM +0200, Peter Philipp wrote:
> On Sun, Aug 11, 2024 at 11:10:17AM +0200, Kirill A. Korinsky wrote:
> > On Sun, 11 Aug 2024 09:57:31 +0200,
> > Peter Philipp <i...@callpeter.tel> wrote:
> > > 
> > > openssl s_client returns this:
> > > ----
> > >     Verify return code: 20 (unable to get local issuer certificate)
> > > ----
> > > 
> > > based on these two command which the first one fails hard:
> > > 
> > > 34      ftp 
> > > https://download.delphinusdns.org/pub/delphinusdnsd/snapshot/INSTALL/goldflipper11.png
> > > 35      openssl s_client -connect download.delphinusdns.org:443
> > > 
> > > how do I debug this?  If anyone can hold my hand a little bit here, I 
> > > would
> > > appreciate it.  I have added TLSA DNS entries for all the port 443's on my
> > > DNS!
> > > 
> > 
> > I see that you're using a ceritficate which was issued by Let's Encryption,
> > and I asee that certificate which is sent from your server hasn't got full
> > chain:
> > 
> >   Certificate chain
> >    0 s:/CN=download.delphinusdns.org
> >      i:/C=US/O=Let's Encrypt/CN=R10
> > 
> > I think that distributing the whole chain should fix that issue.
> > 
> > -- 
> > wbr, Kirill
> 
> Would this patch then, make any sense?
> 
> -pjp
> 
> 
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.257
> diff -u -p -u -r1.257 parse.y
> --- parse.y   10 Aug 2024 05:47:29 -0000      1.257
> +++ parse.y   11 Aug 2024 10:43:15 -0000
> @@ -1372,6 +1372,8 @@ flag            : STRING                        {
>                               $$ = TLSFLAG_CIPHER_SERVER_PREF;
>                       else if (strcmp("client-renegotiation", $1) == 0)
>                               $$ = TLSFLAG_CLIENT_RENEG;
> +                     else if (strcmp("fullchain", $1) == 0)
> +                             $$ = TLSFLAG_KEYPAIR_FULLCHAIN;
>                       else {
>                               yyerror("invalid TLS flag: %s", $1);
>                               free($1);
> Index: relayd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
> retrieving revision 1.191
> diff -u -p -u -r1.191 relayd.c
> --- relayd.c  25 Jun 2023 08:07:38 -0000      1.191
> +++ relayd.c  11 Aug 2024 10:43:15 -0000
> @@ -1367,11 +1367,14 @@ relay_load_certfiles(struct relayd *env,
>               goto fail;
>  
>       if (snprintf(certfile, sizeof(certfile),
> -         "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
> +         "/etc/ssl/%s:%u.%s", hbuf, useport, ((proto->tlsflags & \
> +             TLSFLAG_KEYPAIR_FULLCHAIN) ? "fullchain.pem" : "crt")) == -1)
>               goto fail;
>       if ((cert_fd = open(certfile, O_RDONLY)) == -1) {
>               if (snprintf(certfile, sizeof(certfile),
> -                 "/etc/ssl/%s.crt", hbuf) == -1)
> +                     "/etc/ssl/%s.%s", hbuf, ((proto->tlsflags & \
> +                     TLSFLAG_KEYPAIR_FULLCHAIN) ? "fullchain.pem" : "crt")
> +                     ) == -1)
>                       goto fail;
>               if ((cert_fd = open(certfile, O_RDONLY)) == -1)
>                       goto fail;
> Index: relayd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
> retrieving revision 1.209
> diff -u -p -u -r1.209 relayd.conf.5
> --- relayd.conf.5     14 Jul 2024 03:58:49 -0000      1.209
> +++ relayd.conf.5     11 Aug 2024 10:43:15 -0000
> @@ -1040,6 +1040,9 @@ The default is
>  Is deprecated and does nothing.
>  .It Ic tlsv1.1
>  Is deprecated and does nothing.
> +.It Ic fullchain
> +prefers the fullchain PEM file instead of the CRT as given by 
> +.Xr acme-client 1 .
>  .El
>  .It Ic http Ar option
>  Set the HTTP options and session settings.
> Index: relayd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
> retrieving revision 1.274
> diff -u -p -u -r1.274 relayd.h
> --- relayd.h  10 Aug 2024 05:47:29 -0000      1.274
> +++ relayd.h  11 Aug 2024 10:43:15 -0000
> @@ -701,12 +701,14 @@ TAILQ_HEAD(relay_rules, relay_rule);
>  #define TLSFLAG_VERSION                              0x1f
>  #define TLSFLAG_CIPHER_SERVER_PREF           0x20
>  #define TLSFLAG_CLIENT_RENEG                 0x40
> +#define      TLSFLAG_KEYPAIR_FULLCHAIN               0x80
>  #define TLSFLAG_DEFAULT                              \
>       (TLSFLAG_TLSV1_2|TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
>  
>  #define TLSFLAG_BITS                                         \
>       "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3"   \
> -     "\06cipher-server-preference\07client-renegotiation"
> +     "\06cipher-server-preference\07client-renegotiation"    \
> +     "\08fullchain"
>  
>  #define TLSCIPHERS_DEFAULT   "HIGH:!aNULL"
>  #define TLSECDHECURVES_DEFAULT       "default"
> 
> -- 
> ** out of spiffy .signature messages
>

Re: how do I debug this? any hints?

Reply via email to