當我執行隨 FreeBSD 11.0 的 ports 樹提供的 acme-client (acme-client-0.1.15_1) 時,我在與 LetsEncrypt 伺服器的握手中遇到錯誤 (2a02:26f0:7b:48f::3d5)。
我安裝並新增了 libressl (libressl-2.4.5)
DEFAULT_VERSIONS+=ssl=libressl
到/etc/make.conf。我在安裝 libre-ssl 後安裝了 acme-client。
這是我新增 -vv 參數時的輸出:
acme-client: /usr/local/etc/acme/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: domain key exists (not creating)
acme-client: /usr/local/etc/acme/privkey.pem: loaded RSA account key
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48f::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48e::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.62.131.169
acme-client: 2a02:26f0:7b:48f::3d5: tls_write: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: 2a02:26f0:7b:48f::3d5: tls_read: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: https://acme-v01.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(60565): 1
經過一夜的尋找解決方案後,我確實找到了有類似問題的人,但使用了不同的軟體和解決方案,這些軟體和解決方案不適合我或不適合我。我認為問題出在 libressl 上是否正確?我該如何測試這個問題,或更好地解決這個問題?
答案1
FreeBSD 作業系統預設沒有根憑證授權單位 SSL 憑證。最簡單的方法是透過從security/ca_root_nss連接埠安裝 Mozilla 的根憑證來使用它們:
cd /usr/ports/security/ca_root_nss
make install clean