On 4/2/19 5:35 PM, Gary E. Miller via devel wrote: > Also, still broken for me when the fullchain.pem is in /tmp:
OpenSSL takes root certificates in two ways. A) You can specify a file, in PEM format, with one or more root certificates. B) You can specify a directory, in which case the certificates must be named (or more typically, symlinked) with their hash; see `openssl rehash`. Note that the files processed by `openssl rehash` must have one certificate per file. Technically speaking, fullchain.pem from certbot does not contain a root certificate. It contains the end certificate and an intermediate CA certificate. That said, adding the intermediate as a trusted root should still cause validation to pass. Try something like this: mkdir /tmp/certs cp /tmp/fullchain.pem /tmp/certs/ cd /tmp/certs vi fullchain.pem # Delete the first cert, (the end certificate) from the # -----BEGIN CERTIFICATE----- line through the # ------ END CERTIFICATE----- line, inclusive. This will leave only the # intermediate certificate. openssl rehash . That should give you the following, assuming you have the Let's Encrypt intermediate that chains up to IdenTrust, which is the certbot default: $ ls 4f06f81d.0 fullchain.pem See if that works with "ca=/tmp/certs" in ntp.conf. On 4/2/19 6:26 PM, Gary E. Miller via devel wrote: > No. LE has FIVE root certs. Maybe you can call it a split root. And > you have no way of knowing which one they use for any particular cert. Technically speaking, Let's Encrypt has one root cert, the ISRG Root X1. They have multiple intermediates, some of which chain up to a root from a different CA (IdenTrust), the DST Root CA X3. This was done to bootstrap Let's Encrypt. By chaining off an existing CA (IdenTrust), Let's Encrypt certificates were trusted by existing clients. Then, Let's Encrypt went through the process to get their own root (the ISRG root) into major clients through their root CA programs. At some point, when "enough" of the installed base supports the ISRG root, Let's Encrypt users can switch to requesting certs be issued from the intermediates chained from ISRG. Eventually Let's Encrypt will no longer need to rely on IdenTrust. To use both, concatenate both root certificates (ISRG Root X1 and DST Root CA X3) into a root ca _file_, or put both certificates (separately) into a root ca directory and run `openssl rehash`. > And note the specifically say: "Our roots are kept safely offline." > > So you can't even get the root to check it! That sentence means they have the root's private key offline for security reasons. The ISRG root's public certificate is linked from that page. You can get DST Root CA X3 here: https://www.identrust.com/dst-root-ca-x3 or you likely already have it installed, possibly at something like: /etc/ssl/certs/DST_Root_CA_X3.pem -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
