Skip Menu |

This queue is for tickets about the Mozilla-CA CPAN distribution.

Report information
The Basics
Id: 120332
Status: open
Priority: 0/
Queue: Mozilla-CA
People
Owner: Nobody in particular
Requestors: 'spro^^*%*^6ut# [...] &$%*c
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Feb 22 16:24:36 2017 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Ticket created
Subject: Let’s Encrypt certificates fail
$ perl -MIO::Socket::SSL -e 'new IO::Socket::SSL "easternchristiansupply.biz:443" or die IO::Socket::SSL::errstr' SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at -e line 1. The certificate in question is issued by Let’s Encrypt. IO::Socket::SSL is using the pem file from Mozilla::CA by default: $ perl -MIO::Socket::SSL -le 'print IO::Socket::SSL::default_ca' SSL_ca_file/Library/Perl/5.18/Mozilla/CA/cacert.pem Firefox 38 recognizes that certificate. So why does IO::Socket::SSL not recognize it when using Mozilla::CA’s database? Where should I be reporting this problem? Version information: $ perl -v|head -2 This is perl 5, version 18, subversion 2 (v5.18.2) built for darwin-thread-multi-2level $ perl -MIO::Socket::SSL -le 'print VERSION IO::Socket::SSL' 2.047 $ perl -MMozilla::CA -le 'print VERSION Mozilla::CA' 20160104 1
  Sun Feb 26 19:23:34 2017 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #120332] Let’s Encrypt certificates fail
Date: Mon, 27 Feb 2017 07:23:22 +0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
https://news.ntppool.org/ and https://www.ntppool.org/ are also Let’s Encrypt certs and they validate as far as I can tell. :-/
  Sun Feb 26 19:23:35 2017 The RT System itself - Status changed from 'new' to 'open'
  Mon Feb 27 23:01:01 2017 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Correspondence added
RT-Send-CC: ask [...] perl.org
On Sun Feb 26 19:23:34 2017, ask@perl.org wrote: Show quoted text
> https://news.ntppool.org/ and https://www.ntppool.org/ are also Let’s > Encrypt certs and they validate as far as I can tell. :-/
Strange. Did you test easternchristiansupply.biz the same way? I wonder whether it has to do with something else on the machine on which I’m running it.
  Thu Mar 02 01:25:50 2017 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Correspondence added
On Mon Feb 27 23:01:01 2017, SPROUT wrote: Show quoted text
> On Sun Feb 26 19:23:34 2017, ask@perl.org wrote:
> > https://news.ntppool.org/ and https://www.ntppool.org/ are also > > Let’s > > Encrypt certs and they validate as far as I can tell. :-/
> > Strange. Did you test easternchristiansupply.biz the same way? I > wonder whether it has to do with something else on the machine on > which I’m running it.
Well it turns out to be a misconfiguration on the server. The problem is now fixed. Sorry for the noise. This ticket can be closed.
  Mon Mar 13 22:46:16 2017 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #120332] Let’s Encrypt certificates fail
Date: Mon, 13 Mar 2017 19:45:43 -0700
To: bug-Mozilla-CA [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
Great, thank you for following up! Can you share what was wrong (for future seekers of configuration errors).
  Mon Mar 13 23:42:04 2017 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Correspondence added
On Mon Mar 13 22:46:16 2017, ask@perl.org wrote: Show quoted text
> Great, thank you for following up! > > Can you share what was wrong (for future seekers of configuration errors).
Having just SSLCertificateFile and SSLCertificateKeyFile set in the Apache configuration file is insufficient. SSLCACertificateFile needs to be set as well.