On 30/09/2021 23:32, Miroslav Lachman wrote:

Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34374359624:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:

[...]

Uz me moc nenapada, co jeste zkusit, aby fetch na FreeBSD 11.2 s ca_root_nss-3.63 byl schopny stahnout soubor z webserveru s aktualnim Let's Encrypt certifikatem.

Zeptej se a odpovez si sam :)

Pravdepodobne je to tenhle problem se starym OpenSSL 1.0:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816

Last month, we announced that we've developed a way for Let's Encrypt subscribers to keep supporting older Android devices after our cross-signature from DST Root CA X3 expires this September.

There is one notable exception: OpenSSL versions 1.0.0 through 1.0.2 will reject the Android-compatible chain, regardless of whether they have ISRG Root X1 in their trust store.

Takze bych jedine musel na webserveru pouzivat jiny chain a tim odriznout zarizeni se starym Androidem 7.1.0.

Nebo muzu pro ten konkretni pripad pouzit --no-verify-peer.

Mirek
--
FreeBSD mailing list ([email protected])
http://www.freebsd.cz/listserv/listinfo/users-l

Odpovedet emailem