1

When I run the acme-client delivered with the ports tree of FreeBSD 11.0 (acme-client-0.1.15_1) I get an error in the handshake with the letsencrypt server (2a02:26f0:7b:48f::3d5).

I have libressl (libressl-2.4.5) installed and added

DEFAULT_VERSIONS+=ssl=libressl

to /etc/make.conf. I installed acme-client after installing libre-ssl.

This is the output when I add the -vv parameter:

acme-client: /usr/local/etc/acme/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: domain key exists (not creating)
acme-client: /usr/local/etc/acme/privkey.pem: loaded RSA account key
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48f::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48e::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.62.131.169
acme-client: 2a02:26f0:7b:48f::3d5: tls_write: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: 2a02:26f0:7b:48f::3d5: tls_read: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: https://acme-v01.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(60565): 1

After a night of searching for solutions I did find people with similar problems, but with different software and solutions that did not apply or work for me. Am I right to assume that the problem lies with libressl? How can I test this, or better, solve this problem?

Improve this question
5
  • Try to get different client. I using acme-tiny which is just 200 lines of python code that can be audited very easy. Personally I don't use port's version of letsencrypt because I won't any program (especially that one requiring run as root) to manage such important stuff as SSL keys. Use openSSL instead of libressl for key generation to test it out if it is a problem with LibreSSL
    – Alex
    Commented Feb 3, 2017 at 0:13
  • 1
    @Alex: this error isn't in key generation but in connecting to the server. Lexib0y: probably your truststore doesn't have the root(s) to validate the server cert -- for me (but should be consistent across Akamai) that's DST Root CA X3 as specified in the offered chain, or Identrust Commercial Root 1 assuming libre supports bypassing the chain to the truststore as Open added in 1.0.1, IIRC pre-fork. I don't know what libre (either upstream or in FreeBSD) does for default truststore. (Open upstream doesn't do any, leaving it up to packagers and installers.) If so add one of them.
    – dave_thompson_085
    Commented Feb 3, 2017 at 7:36
  • 1
    @dave_thompson_085 To me it looks like an error with certificate verification. Lexib0y: did you installed on your FreeBSD security/ca_root_nss port ?
    – Alex
    Commented Feb 3, 2017 at 7:48
  • @Alex installing this 'port' did the trick. I am in no way an expert on this subject, so thanks for your help!
    – Lexib0y
    Commented Feb 3, 2017 at 10:57
  • @dave_thompson_085 I will look into that acme-tiny client too, I did not know it it existed.
    – Lexib0y
    Commented Feb 3, 2017 at 11:03

1 Answer 1

Reset to default
2

FreeBSD Operation system haven't by default root certificate authorities SSL certificates. The simplest way is to use Mozilla's root certificates by installing them from security/ca_root_nss port as:

cd /usr/ports/security/ca_root_nss
make install clean
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .