Closed Prototik closed 7 years ago
I'm now seeing this also with old versions of libtls. The explanation is that old versions of libtls would lazy-load the default certificate after the chroot() (or pledge). Newer versions do this properly. I'll add some more compatibility bits in the next few checkins.
I see that @Prototik uses my package from Arch Linux AUR. It uses libressl version 2.4.3, but with acme-client 0.1.11 they worked perfectly. Now I tried to compile with libressl 2.5.0, and it seems that the error no longer exists.
By the way the problem is not only with ipv6
Yes, it's a libtls problem. I'm adding some compatibility glue right now. The issue is that the new version of acme-client is doing strong validation, which requires the root ca to be loaded. Only recently did libtls fix the lazy-loading problem, so I'm working around it in http.c.
Can you please check the current version of the GitHub source for whether this is fixed? On older versions of libtls, I now load the certificate directly into memory instead of relying on the broken ca_file function. Note: I use the CA file in /etc/ssl/cert.pem by default. On my Mac, it's in /usr/local/etc/libressl/cert.pem. This works on my Alpine linux, old OpenBSD, Mac, and FreeBSD systems.
Yes, now all is well with libressl 2.4.3
Thank you for the best acme client.
Fixed in 0.1.14, which has these changes. Thank you for checking and reporting!
@repsac-by probably you need to use an aur/libressl
package instead building own version.
But anyway thanks everyone for the help, works nicely.
sorry for off topic
@Prototik, libressl из aur имеет пометку EXPRIMENTAL ONLY и полностью заменяет системный openssl, это совсем не решение. Я просто не хотел торопиться с переходом на libressl 2.5.0, по крайней мере я не предполагал, что там есть какие то новые функции которые могут потребоваться здесь так скоро.
@repsac-by хм, тогда, возможно, стоит создать пакет libressl, который не будет заменять системный openssl. В любом случае - спасибо за пакетик.
Trying to get cert on ipv6-connected machine:
Although ipv6 works like a charm: