Re: Hosting gitea with httpd and relayd: git and curl return "SSL certificate problem: unable to get local issuer certificate"

[Am Jam]

> Most likely, you're not requesting a full chain from acme-client, or you
> haven't given the full chain certificate a name relayd will pick up
> automatically.

According to relayd.conf(5), relayd should pick up my full chain
certificate.

# /etc/ssl
drwxr-xr-x  3 root  wheel   512B Dec 27  2021 acme/
drwx------  2 root  wheel   512B Oct 25 19:57 private/
-r--r--r--  1 root  wheel   341K Sep 14 19:34 cert.pem
-r--r--r--  1 root  wheel   2.1K Oct 25 19:59 src.domain.io.crt
-r--r--r--  1 root  wheel   3.8K Oct 25 19:59 src.domain.io.fullchain.pem
-rw-r--r--  1 root  wheel   504B Oct 26 17:46 src.domain.io.ocsp
-rw-r--r--  1 root  wheel   504B Oct 26 13:58 src.domain.io.ocsp.pem


# /etc/ssl/private
-r--------  1 root  wheel   3.2K Oct 25 19:59 src.domain.io.key


# relayd.conf(5)
             keypair name
                     The relay will attempt to look up a private key in
                     /etc/ssl/private/name:port.key and a public certificate
                     in /etc/ssl/name:port.crt, where port is the specified
                     port that the relay listens on.  If these files are not
                     present, the relay will continue to look in
                     /etc/ssl/private/name.key and /etc/ssl/name.crt.  This
                     option can be specified multiple times for TLS Server
                     Name Indication.  If not specified, a keypair will be
                     loaded using the specified IP address of the relay as
                     name.  See ssl(8) for details about TLS server
                     certificates.

                     An optional OCSP staple file will be used during TLS
                     handshakes with this server if it is found as a
non-empty
                     file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp.
                     The file should contain a DER-format OCSP response
                     retrieved from an OCSP server for the certificate in
use,
                     and can be created using ocspcheck(8).



To generate the files in /etc/ssl, I used the following commands:

# acme-client -F src.domain.io
# /usr/sbin/ocspcheck -N -o /etc/ssl/src.domain.io.ocsp.pem
/etc/ssl/src.domain.io.fullchain.pem


Kind Regards.

On Sat, Oct 26, 2024 at 8:01 PM Anthony J. Bentley <anth...@anjbe.name>
wrote:

> Am Jam writes:
> >    $ git clone https://src.domain.io/user/aoc.git
> >    Cloning into 'aoc'...
> >    fatal: unable to access 'https://src.domain.io/user/aoc.git/': SSL
> > certificate problem: unable to get local issuer certificate
> >
> > and
> >
> >    $ curl https://src.domain.io
> >    curl: (60) SSL certificate problem: unable to get local issuer
> > certificate
> >    More details here: https://curl.se/docs/sslcerts.html
> >
> >    curl failed to verify the legitimacy of the server and therefore could
> > not
> >    establish a secure connection to it. To learn more about this
> situation
> > and
> >    how to fix it, please visit the web page mentioned above.
>
> acme-client(1) generates a certificate without any intermediate
> certificates unless a full chain is specifically requested; see
> acme-client.conf(5).
>
> relayd(8)'s 'tls keypair' will automatically pick up certificates named
> according to a particular pattern; see relayd.conf(5).
>
> Most likely, you're not requesting a full chain from acme-client, or you
> haven't given the full chain certificate a name relayd will pick up
> automatically.
>