当我运行随 FreeBSD 11.0 端口树提供的 acme-client(acme-client-0.1.15_1)时,与 letsencrypt 服务器的握手出现错误(2a02:26f0:7b:48f::3d5)。
我已经安装并添加了 libressl (libressl-2.4.5)
DEFAULT_VERSIONS+=ssl=libressl
到 /etc/make.conf。我在安装 libre-ssl 后安装了 acme-client。
这是我添加 -vv 参数时的输出:
acme-client: /usr/local/etc/acme/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: domain key exists (not creating)
acme-client: /usr/local/etc/acme/privkey.pem: loaded RSA account key
acme-client: /usr/local/etc/ssl/acme/private/pma.lxs.biz.pem: loaded RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48f::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:7b:48e::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.62.131.169
acme-client: 2a02:26f0:7b:48f::3d5: tls_write: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: 2a02:26f0:7b:48f::3d5: tls_read: handshake failed: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
acme-client: https://acme-v01.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(60565): 1
经过一整晚的寻找解决方案,我确实发现有人遇到了类似的问题,但使用的软件和解决方案不同,对我而言并不适用或不起作用。我可以假设问题出在 libressl 上吗?我该如何测试,或者更好地解决这个问题?
答案1
FreeBSD 操作系统默认没有根证书颁发机构 SSL 证书。最简单的方法是使用 Mozilla 的根证书,通过以下security/ca_root_nss方式从端口安装它们:
cd /usr/ports/security/ca_root_nss
make install clean