FreeBSD 11 port acme-client's tls handshake fails

1

When I run the acme-client delivered with the ports tree of FreeBSD 11.0 (acme-client-0.1.15_1) I get an error in the handshake with the letsencrypt server (2a02:26f0:7b:48f::3d5).

I have libressl (libressl-2.4.5) installed and added

DEFAULT_VERSIONS+=ssl=libressl

to /etc/make.conf. I installed acme-client after installing libre-ssl.

This is the output when I add the -vv parameter:

acme-client: /usr/local/etc/acme/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: domain key exists (not creating)
acme-client: /usr/local/etc/acme/privkey.pem: loaded RSA account key
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48f::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48e::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.62.131.169
acme-client: 2a02:26f0:7b:48f::3d5: tls_write: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: 2a02:26f0:7b:48f::3d5: tls_read: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: https://acme-v01.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(60565): 1

After a night of searching for solutions I did find people with similar problems, but with different software and solutions that did not apply or work for me. Am I right to assume that the problem lies with libressl? How can I test this, or better, solve this problem?

Lexib0y

Posted 2017-02-02T21:56:49.927

Reputation: 139

Try to get different client. I using acme-tiny which is just 200 lines of python code that can be audited very easy. Personally I don't use port's version of letsencrypt because I won't any program (especially that one requiring run as root) to manage such important stuff as SSL keys. Use openSSL instead of libressl for key generation to test it out if it is a problem with LibreSSL

– Alex – 2017-02-03T00:13:49.910

1@Alex: this error isn't in key generation but in connecting to the server. Lexib0y: probably your truststore doesn't have the root(s) to validate the server cert -- for me (but should be consistent across Akamai) that's DST Root CA X3 as specified in the offered chain, or Identrust Commercial Root 1 assuming libre supports bypassing the chain to the truststore as Open added in 1.0.1, IIRC pre-fork. I don't know what libre (either upstream or in FreeBSD) does for default truststore. (Open upstream doesn't do any, leaving it up to packagers and installers.) If so add one of them. – dave_thompson_085 – 2017-02-03T07:36:23.230

1@dave_thompson_085 To me it looks like an error with certificate verification. Lexib0y: did you installed on your FreeBSD security/ca_root_nss port ? – Alex – 2017-02-03T07:48:38.867

@Alex installing this 'port' did the trick. I am in no way an expert on this subject, so thanks for your help! – Lexib0y – 2017-02-03T10:57:19.900

@dave_thompson_085 I will look into that acme-tiny client too, I did not know it it existed. – Lexib0y – 2017-02-03T11:03:06.410

Answers

2

FreeBSD Operation system haven't by default root certificate authorities SSL certificates. The simplest way is to use Mozilla's root certificates by installing them from security/ca_root_nss port as:

cd /usr/ports/security/ca_root_nss
make install clean

Alex

Posted 2017-02-02T21:56:49.927

Reputation: 5 606

Asked: 2017-02-02T21:56:49.927

Viewed: 449 times

Active: 2017-02-03T11:53:05.727