On 12/28/2015 03:53 PM, Michael Shuler wrote:
`openssl s_client -CApath /etc/ssl/certs -connect
wrapdb.mesonbuild.com:443` shows the cert for wrapdb.mesonbuild.com,
issued by CN=Let's Encrypt Authority X1, but no intermediate, which is
cross-signed by DST Root CA X3 and should validate properly with the
current ca-certificates, if the web server gave it to us.
DST Root CA X3 was included in NSS long ago, and ca-certificates does
contain this root certificate as of version 20080411.
Send the right intermediate from the web server and it should "Just Work".
Working example with intermediate sent from the original letsencrypt
test site:
$ openssl s_client -CApath /etc/ssl/certs -connect
helloworld.letsencrypt.org:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = TrustID Server, CN = TrustID Server
CA A52
verify return:1
depth=0 CN = letsencrypt.org, O = INTERNET SECURITY RESEARCH GROUP, L =
Mountain View, ST = California, C = US
verify return:1
---
Certificate chain
0 s:/CN=letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain
View/ST=California/C=US
i:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
1 s:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
2 s:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
--
Kind regards,
Michael
