Re: DNF and https
On Sun, 2016-04-10 at 18:59 +0100, Russel Winder wrote: > On Sun, 2016-04-10 at 11:35 -0400, Igor Gnatenko wrote: > > > > Can you try this? > > > > SSLCertificateFile/etc/letsencrypt/live/www.russel.org.uk/cert.pe > > m > > SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey > > .pem > > SSLCertificateChainFile /etc/letsencrypt/live/www.russel.org.uk/fullc > > hain.pem > Well that made a huge difference. Does this mean I just missed this > third line? What would actually be 'most correct' is just: SSLCertificateFile /etc/letsencrypt/live/www.russel.org.uk/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey.pem What the server should make available (in current standard practice) is the full chain of certificates from the CA to its own certificate. Apache since 2.4.8 lets you do this simply by specifying SSLCertificateFile as a single chain file containing all those certificates - which is what letsencrypt's 'fullchain.pem' is. In older Apaches you could only specify a full chain as SSLCertificateChainFile (and I believe you had to specify the server cert as SSLCertificateFile and the chain from issuing CA to root CA as SSLCertificateChainFile), but from 2.4.8 onwards you can just provide the entire chain as SSLCertificateFile and this technically obsoletes the use of SSLCertificateChainFile , though for now Apache will still accept it. See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile . -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
On 04/09/2016 07:35 AM, Russel Winder wrote: I have experimental evidence that dnf fails using https if the repository site certificate is a Let's Encrypt one. Is this a bug or a feature? Have you correctly included the certificate chain? If not, your browser might have the required intermediate certs, so you won't get a warning there. Clients that don't have a similarly complete certificate store would fail. -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
On Sun, 2016-04-10 at 11:35 -0400, Igor Gnatenko wrote: > Can you try this? > > SSLCertificateFile/etc/letsencrypt/live/www.russel.org.uk/cert.pe > m > SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey > .pem > SSLCertificateChainFile /etc/letsencrypt/live/www.russel.org.uk/fullc > hain.pem Well that made a huge difference. Does this mean I just missed this third line? -- Russel. = Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder signature.asc Description: This is a digitally signed message part -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
Can you try this? SSLCertificateFile/etc/letsencrypt/live/www.russel.org.uk/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.russel.org.uk/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.russel.org.uk/fullchain.pem - Original Message - > From: "Russel Winder" > To: test@lists.fedoraproject.org > Sent: Sunday, April 10, 2016 4:41:33 PM > Subject: Re: DNF and https > > On Sun, 2016-04-10 at 08:55 -0400, Igor Gnatenko wrote: > > > […] > > how did you set SSL there? I guess a bit wrongly.. > > SSLEngine on > SSLCertificateFile "/etc/letsencrypt/live/www.russel.org.uk/cer > t.pem" > SSLCertificateKeyFile "/etc/letsencrypt/live/www.russel.org.uk/ > privkey.pem" > SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 > SSLHonorCipherOrder on > > The SSL key covers three domains hence the russel rather than winder in > the path. > > I am by no means an expert at Apache configuration, so I can well > believe I have made an error. > > > CN in ur cert is Let's Encrypt Authority X3, in my case where it > > works correctly - Let's Encrypt Authority X1 > > I just got a key from them three months ago and renewed two days ago. I > have no idea what the X3/X1 signify! > > > Please show settings of your webserver.. > > Is the above what you were asking for? If not I can post other > snippets. > > -- > Russel. > = > Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net > 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk > London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder > -- > test mailing list > test@lists.fedoraproject.org > To unsubscribe: > http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org -- -Igor Gnatenko -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
On Sun, 2016-04-10 at 08:55 -0400, Igor Gnatenko wrote: > […] > how did you set SSL there? I guess a bit wrongly.. SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/www.russel.org.uk/cer t.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/www.russel.org.uk/ privkey.pem" SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on The SSL key covers three domains hence the russel rather than winder in the path. I am by no means an expert at Apache configuration, so I can well believe I have made an error. > CN in ur cert is Let's Encrypt Authority X3, in my case where it > works correctly - Let's Encrypt Authority X1 I just got a key from them three months ago and renewed two days ago. I have no idea what the X3/X1 signify! > Please show settings of your webserver.. Is the above what you were asking for? If not I can post other snippets. -- Russel. = Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder signature.asc Description: This is a digitally signed message part -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
$ curl https://www.winder.org.uk/Fedora-RPMs/ curl: (60) Peer's Certificate issuer is not recognized. More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. how did you set SSL there? I guess a bit wrongly.. CN in ur cert is Let's Encrypt Authority X3, in my case where it works correctly - Let's Encrypt Authority X1 Please show settings of your webserver.. - Original Message - > From: "Russel Winder" > To: test@lists.fedoraproject.org > Sent: Sunday, April 10, 2016 1:38:48 PM > Subject: Re: DNF and https > > On Sat, 2016-04-09 at 15:54 +0100, Pawel Bogucki wrote: > > Do you have a public repo with such cert for testing? > > https://www.winder.org.uk/Fedora-RPMs/ > > should be accessible from everywhere. > > > On 9 April 2016 at 15:35, Russel Winder wrote: > > > > > > > > Hi, > > > > > > I have experimental evidence that dnf fails using https if the > > > repository site certificate is a Let's Encrypt one. Is this a bug > > > or a > > > feature? > > > > > > -- > > > Russel. > > > > > -- > Russel. > = > Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net > 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk > London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder > -- > test mailing list > test@lists.fedoraproject.org > To unsubscribe: > http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org -- -Igor Gnatenko -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
On Sat, 2016-04-09 at 15:54 +0100, Pawel Bogucki wrote: > Do you have a public repo with such cert for testing? https://www.winder.org.uk/Fedora-RPMs/ should be accessible from everywhere. > On 9 April 2016 at 15:35, Russel Winder wrote: > > > > > Hi, > > > > I have experimental evidence that dnf fails using https if the > > repository site certificate is a Let's Encrypt one. Is this a bug > > or a > > feature? > > > > -- > > Russel. > > -- Russel. = Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder signature.asc Description: This is a digitally signed message part -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
On Sat, 2016-04-09 at 15:54 +0100, Pawel Bogucki wrote: > Do you have a public repo with such cert for testing? You could try one of the repos I have lying around www.happyassassin.net , as I just flipped that over to LE. https://www.happyassassin.net/repos/doom/ should do. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
Re: DNF and https
Do you have a public repo with such cert for testing? On 9 April 2016 at 15:35, Russel Winder wrote: > Hi, > > I have experimental evidence that dnf fails using https if the > repository site certificate is a Let's Encrypt one. Is this a bug or a > feature? > > -- > Russel. > > = > Dr Russel Winder t: +44 20 7585 2200 voip: > sip:russel.win...@ekiga.net > 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk > London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder > -- > test mailing list > test@lists.fedoraproject.org > To unsubscribe: > http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org > -- Pawel Bogucki Ph: +353 85 8184879 -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org
DNF and https
Hi, I have experimental evidence that dnf fails using https if the repository site certificate is a Let's Encrypt one. Is this a bug or a feature? -- Russel. = Dr Russel Winder t: +44 20 7585 2200 voip: sip:russel.win...@ekiga.net 41 Buckmaster Roadm: +44 7770 465 077 xmpp: rus...@winder.org.uk London SW11 1EN, UK w: www.russel.org.uk skype: russel_winder signature.asc Description: This is a digitally signed message part -- test mailing list test@lists.fedoraproject.org To unsubscribe: http://lists.fedoraproject.org/admin/lists/test@lists.fedoraproject.org