Hi, I’m getting spurious ‚certificate not trusted‘ errors on client programs on OSX 10.11.6 Server cert is from letsencrypt and worked so far, but: - - - [caldav3:local/etc/caldavd] root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav.lrau.net:8443 CONNECTED(00000003) depth=0 CN = caldav.lrau.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = caldav.lrau.net verify error:num=27:certificate not trusted verify return:1 depth=0 CN = caldav.lrau.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=caldav.lrau.net i:/C=US/O=Let’s Encrypt/CN=Let's Encrypt Authority X3 . . . Verify return code: 21 (unable to verify the first certificate) - - -
If I put Let’s Encrypt Authority X3 cert https://letsencrypt.org/certificates/ in pem format into config dir and point SSLAuthorityChain at it, I get: - - - root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav3.lrau.net:8443 CONNECTED(00000003) 34379258024:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:757: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 297 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE - - - These certs work with all other servers. So what am I doing wrong? Axel Installed versions: - - - gettext-runtime-0.19.8.1 GNU gettext runtime libraries and programs gmp-5.1.3_3 Free library for arbitrary precision arithmetic indexinfo-0.2.4 Utility to regenerate the GNU info page index libevent2-2.0.22_1 API for executing callback functions on events or timeouts libffi-3.2.1 Foreign Function Interface memcached-1.4.25 High-performance distributed memory object cache system perl5-5.20.3_15 Practical Extraction and Report Language pkg-1.8.7_1 Package manager postgresql94-client-9.4.9 PostgreSQL database (client) py27-PyGreSQL-5.0.1,1 Python interface to PostgreSQL, both classic and DP-API 2.0 py27-attrs-16.0.0 Python attributes without boilerplate py27-calendar-0.15423 Library for iCalendar/vCard data py27-calendarserver-8.0_8 Calendar and Contacts Server from Apple (RFC 4791, RFC 6352) py27-cffi-1.7.0 Foreign Function Interface for Python calling C code py27-characteristic-14.3.0 Python attributes without boilerplate py27-cryptography-1.4 Cryptographic recipes and primitives for Python developers py27-dateutil-2.5.0 Extensions to the standard Python datetime module py27-enum34-1.1.6 Python 3.4 Enum backported to 3.3, 3.2, 3.1, 2.7 py27-idna-2.0 Internationalized Domain Names in Applications (IDNA) py27-ipaddress-1.0.16 Python 3.3's ipaddress for Python 2.6 and 2.7 py27-openssl-16.0.0 Python interface to the OpenSSL library py27-pg8000-1.10.6 Pure-Python Interface to the PostgreSQL Database py27-psutil-4.3.0 Process utilities module for Python py27-pyasn1-0.1.9 ASN.1 toolkit for Python py27-pyasn1-modules-0.0.8_1 Collection of ASN.1 data structures for py-asn1 py27-pycparser-2.10 C parser in Python py27-pycrypto-2.6.1_1 Python Cryptography Toolkit py27-pytz-2016.6.1,1 World Timezone Definitions for Python py27-service_identity-16.0.0 Service identity verification for pyOpenSSL py27-setproctitle-1.1.10 Python module to customize the process title py27-setuptools27-23.1.0 Python packages installer py27-six-1.10.0 Python 2 and 3 compatibility utilities py27-sqlite3-2.7.12_7 Standard Python binding to the SQLite3 library (Python 2.7) py27-sqlparse-0.1.16 Non-validating SQL parser for Python py27-twext-0.15423 Extensions to Twisted py27-twisted-15.5.0 Asynchronous networking framework written in Python py27-xattr-0.7.8 Python wrapper for extended filesystem attributes py27-zope.interface-4.1.3 Interfaces for Python python2-2_3 The "meta-port" for version 2 of the Python interpreter python27-2.7.12 Interpreted object-oriented programming language sqlite3-3.14.1 SQL database engine in a C library OpenSSL 1.0.1p-freebsd 9 Jul 2015 FreeBSD caldav3 10.1-RELEASE-p35 FreeBSD 10.1-RELEASE-p35 #0: Sat May 28 03:37:01 UTC 2016 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius _______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/calendarserver-users