Does packagist.org support ssl from Let's Encrypt? #11869

landall · 2024-03-01T18:10:34Z

landall
Mar 1, 2024

I test a svn repository with this free ssl but failed.

Uncaught Exception: [RuntimeException] Repository https://svn.lolitaup.com:9443/svnroot/qqbot could not be processed, svn: E170013: Unable to connect to a repository at URL 'https://svn.lolitaup.com:9443/svnroot/qqbot/trunk' svn: E230001: Server SSL certificate verification failed: issuer is not trusted.

Seldaek · 2024-03-04T14:17:53Z

Seldaek
Mar 4, 2024
Maintainer

I think it's a server misconfiguration, look here for example the different between repo.packagist.org (which also uses lets encrypt):

$ openssl s_client -connect repo.packagist.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = packagist.org
verify return:1
---
Certificate chain
 0 s:CN = packagist.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 21 07:46:12 2024 GMT; NotAfter: May 21 07:46:11 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
[...]
SSL handshake has read 3197 bytes and written 400 bytes
Verification: OK

And your server:

$ openssl s_client -connect svn.lolitaup.com:9443
CONNECTED(00000003)
depth=0 CN = *.lolitaup.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.lolitaup.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.lolitaup.com
verify return:1
---
Certificate chain
 0 s:CN = *.lolitaup.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  1 16:29:23 2024 GMT; NotAfter: May 30 16:29:22 2024 GMT
[...]
SSL handshake has read 1578 bytes and written 444 bytes
Verification error: unable to verify the first certificate

As you can see packagist sends back the packagist.org certificate as well as the intermediate R3 cert, and yours only sends your cert without intermediate, so the chain is incomplete even though ISRG Root X1 is trusted (that one does not need to be sent back).

In browsers it seems to work because I guess they have the intermediate R3 cert in their CA.

Using the acme.sh client you have to take the fullchain output and not just the cert. I hope this helps.

0 replies

landall · 2024-03-04T16:30:48Z

landall
Mar 4, 2024
Author

thank you. It is my mistake.
I add wrong options to httpd config.

    SSLCertificateFile /etc/letsencrypt/live/lolitaup.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/lolitaup.com/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/lolitaup.com/privkey.pem

This is the right config.
But I write with the same format as nginx.

    SSLCertificateFile /etc/letsencrypt/live/lolitaup.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/lolitaup.com/privkey.pem

ref: https://serverfault.com/questions/1075514/how-to-fix-certificate-chain-with-letsencrypt-certbot

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Does packagist.org support ssl from Let's Encrypt? #11869

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Does packagist.org support ssl from Let's Encrypt? #11869

Uh oh!

landall Mar 1, 2024

Replies: 2 comments

Uh oh!

Seldaek Mar 4, 2024 Maintainer

Uh oh!

Uh oh!

landall Mar 4, 2024 Author

landall
Mar 1, 2024

Seldaek
Mar 4, 2024
Maintainer

landall
Mar 4, 2024
Author