Where can I download the trusted root CA certificates for Let's Encrypt

Server
7

@ahaw021

Ok, now I got it:

openssl s_client -connect helloworld.letsencrypt.org:443 -showcerts    | grep "BEGIN CERTIFICATE"
# -----BEGIN CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# -----BEGIN CERTIFICATE-----  

openssl s_client -connect my.example.com:443 -showcerts    | grep "BEGIN CERTIFICATE"
# -----BEGIN CERTIFICATE-----

So it was actually true that my application wasn’t serving all the certificates needed. I was somehow confused by the name /etc/letsencrypt/live/scatologies.com/fullchain.pem, I was thinking it would contain all the certificate needed for verifying the host, but that’s not true.

For ruby developers, it is basically:

   server = TCPServer.new nil,  listening_port
    sslContext = OpenSSL::SSL::SSLContext.new
    sslContext.cert = begin OpenSSL::X509::Certificate.new File.open("/etc/letsencrypt/live/my.example.com/fullchain.pem") rescue nil end
    sslContext.key = begin OpenSSL::PKey::RSA.new File.open("/etc/letsencrypt/live/my.example.com/privkey.pem") rescue nil end
    sslContext.extra_chain_cert = ["/etc/letsencrypt/live/my.example.com/chain.pem"].map {|extra_cert_pem_file| begin  OpenSSL::X509::Certificate.new  File.open(extra_cert_pem_file) rescue nil end }
    # note: I didn't test this code after I made some substitutions
   sslServer = OpenSSL::SSL::SSLServer.new(server, sslContext)
   loop do
          connection = sslServer.accept
          Thread.new {
             # here you can connection.gets to receive data already plain until it returns nil, connection.puts string to send string using https
          }
   end

After setting the missing sslContext.extra_chain_cert, I could ensure that both certificates were served:

openssl s_client -connect my.example.com:443 -showcerts    | grep "BEGIN CERTIFICATE"
# -----BEGIN CERTIFICATE-----
# -----BEGIN CERTIFICATE-----

And wget download data without complaining:

wget https://my.example.com/   --output-document=-  --ca-certificate=letsencryptauthorityx3.pem
# Welcome to my application

I still don’t know how to set/force SNI with ruby/if it is even supported by http://ruby-doc.org/stdlib-2.1.2/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html .

Andrei: Many thanks for the quick and involved answers!

Ribamar