Re: Let's Encrypt certificates

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Birkholz
Date:  
To: Main PLUG discussion list
Subject: Re: Let's Encrypt certificates
On Fri, 2018-04-13 at 14:47 -0700, Nathan O'Brennan wrote:
> On 2018-04-12 11:27, Matt Birkholz wrote:
> > Hi Nathan,
> >
> > Did you get any help with this, or figure it out yourself by now?
>
> No, to be honest I haven't seen a single response, but I have also not
> seen any email come in since I sent it, so I kind of thought maybe my
> certificate was messed up somehow else.


I think it is just hard to answer you without googling first, which
invites distraction.

> I ended up having my phone accept the certificate [...]


I have the same problem: insufficient curiosity to uninstall the
permanent exceptions (or did you actually turn validation OFF?). But
maybe another lurker will be forewarned and win AND tell us all about
it.

> > > [...]
> > > Firefox works fine on webmail.
> > > Chrome works fine on webmail.
> > > Postfix, Apache, and Dovecot all operate correctly without warnings.
> > >
> > > Bluemail, Thunderbird, and Kmail all fail to connect because the
> > > certificate cannot be verified.
> >
> > You did not attach the intermediate certificates?


I suggested missing intermediates because some clients may be willing
to pursue "additional downloads" to validate a cert, while others may
balk at incomplete chains.

I had not included Gandi's with my Gandi cert and then went down the
garden path of trying to add the intermediates as roots. It was not
until I took SSLLabs quality test that I twigged to the importance of
including the necessary intermediate certs. (Kudos on the SSL Labs
suggestion, Stephen.) Now the Gandi cert (complete chain) works as
expected, without exceptional handling, in Firefox 59 and (I hope)
Everywhere.

I pursued this minion of Chaos a bit further this morning, irritated
that I cannot trust my own self-signed cert, even though I had
installed it in /usr/local/share/ca-certificates/ and ran `sudo update-
ca-certificates` AND saw that a key was added (to /etc/ssl/certs/ I
guess).

Yet I only got Firefox 59 to shut the bleep up after explicitly
importing my (Easy-RSA CA) cert in Preferences > Privacy & Security >
View Certificates... > Authorities > Import... AND I had to create the
server cert with the INexact, all-too-Common-Name core.birchwood-
abbey.net (NOT the absolute core.birchwood-abbey.net.) AND I had to use
the same name in my CA's DB (i.e. on the ./build-key-server
commandline).

Kudos to anyone who can tell me how Firefox knew I had used the name
core25 on the commandline (my twenty-sixth attempt [a tiny
exaggeration]), why I do not see "core25" anywhere in `openssl x509
-text`, and especially how to get the Vile Offspring to document
anything.

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss