On Sun, Aug 11, 2024 at 11:10:17AM +0200, Kirill A. Korinsky wrote:
> On Sun, 11 Aug 2024 09:57:31 +0200,
> Peter Philipp <[email protected]> wrote:
> >
> > openssl s_client returns this:
> > ----
> > Verify return code: 20 (unable to get local issuer certificate)
> > ----
> >
> > based on these two command which the first one fails hard:
> >
> > 34 ftp
> > https://download.delphinusdns.org/pub/delphinusdnsd/snapshot/INSTALL/goldflipper11.png
> > 35 openssl s_client -connect download.delphinusdns.org:443
> >
> > how do I debug this? If anyone can hold my hand a little bit here, I would
> > appreciate it. I have added TLSA DNS entries for all the port 443's on my
> > DNS!
> >
>
> I see that you're using a ceritficate which was issued by Let's Encryption,
> and I asee that certificate which is sent from your server hasn't got full
> chain:
>
> Certificate chain
> 0 s:/CN=download.delphinusdns.org
> i:/C=US/O=Let's Encrypt/CN=R10
>
> I think that distributing the whole chain should fix that issue.
>
> --
> wbr, Kirill
Would this patch then, make any sense?
-pjp
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.257
diff -u -p -u -r1.257 parse.y
--- parse.y 10 Aug 2024 05:47:29 -0000 1.257
+++ parse.y 11 Aug 2024 10:43:15 -0000
@@ -1372,6 +1372,8 @@ flag : STRING {
$$ = TLSFLAG_CIPHER_SERVER_PREF;
else if (strcmp("client-renegotiation", $1) == 0)
$$ = TLSFLAG_CLIENT_RENEG;
+ else if (strcmp("fullchain", $1) == 0)
+ $$ = TLSFLAG_KEYPAIR_FULLCHAIN;
else {
yyerror("invalid TLS flag: %s", $1);
free($1);
Index: relayd.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
retrieving revision 1.191
diff -u -p -u -r1.191 relayd.c
--- relayd.c 25 Jun 2023 08:07:38 -0000 1.191
+++ relayd.c 11 Aug 2024 10:43:15 -0000
@@ -1367,11 +1367,14 @@ relay_load_certfiles(struct relayd *env,
goto fail;
if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
+ "/etc/ssl/%s:%u.%s", hbuf, useport, ((proto->tlsflags & \
+ TLSFLAG_KEYPAIR_FULLCHAIN) ? "fullchain.pem" : "crt")) == -1)
goto fail;
if ((cert_fd = open(certfile, O_RDONLY)) == -1) {
if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/%s.crt", hbuf) == -1)
+ "/etc/ssl/%s.%s", hbuf, ((proto->tlsflags & \
+ TLSFLAG_KEYPAIR_FULLCHAIN) ? "fullchain.pem" : "crt")
+ ) == -1)
goto fail;
if ((cert_fd = open(certfile, O_RDONLY)) == -1)
goto fail;
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.209
diff -u -p -u -r1.209 relayd.conf.5
--- relayd.conf.5 14 Jul 2024 03:58:49 -0000 1.209
+++ relayd.conf.5 11 Aug 2024 10:43:15 -0000
@@ -1040,6 +1040,9 @@ The default is
Is deprecated and does nothing.
.It Ic tlsv1.1
Is deprecated and does nothing.
+.It Ic fullchain
+prefers the fullchain PEM file instead of the CRT as given by
+.Xr acme-client 1 .
.El
.It Ic http Ar option
Set the HTTP options and session settings.
Index: relayd.h
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.h,v
retrieving revision 1.274
diff -u -p -u -r1.274 relayd.h
--- relayd.h 10 Aug 2024 05:47:29 -0000 1.274
+++ relayd.h 11 Aug 2024 10:43:15 -0000
@@ -701,12 +701,14 @@ TAILQ_HEAD(relay_rules, relay_rule);
#define TLSFLAG_VERSION 0x1f
#define TLSFLAG_CIPHER_SERVER_PREF 0x20
#define TLSFLAG_CLIENT_RENEG 0x40
+#define TLSFLAG_KEYPAIR_FULLCHAIN 0x80
#define TLSFLAG_DEFAULT \
(TLSFLAG_TLSV1_2|TLSFLAG_TLSV1_3|TLSFLAG_CIPHER_SERVER_PREF)
#define TLSFLAG_BITS \
"\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2\05tlsv1.3" \
- "\06cipher-server-preference\07client-renegotiation"
+ "\06cipher-server-preference\07client-renegotiation" \
+ "\08fullchain"
#define TLSCIPHERS_DEFAULT "HIGH:!aNULL"
#define TLSECDHECURVES_DEFAULT "default"
--
** out of spiffy .signature messages
