Certificate Not Recognized

illuzen · December 7, 2021, 8:58am

My domain is: gallery.vote

I ran this command: sudo certbot --preferred-chain "ISRG Root X1"

It produced this output: all good

My web server is (include version):

twistd (the Twisted daemon) 18.9.0

The operating system my web server runs on is (include version):

Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

So here's the issue, the cert works on some browsers / machines and not others.

https://gallery.vote/haiku/0

When I try to reach it with python thru the requests module.

SSLError: HTTPSConnectionPool(host='gallery.vote', port=443): Max retries exceeded with url: /haiku/0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

When I try to connect with openssl

$ openssl s_client -connect gallery.vote:443
CONNECTED(00000003)
depth=0 CN = gallery.vote
verify error:num=20:unable to get local issuer certificate

I have had this issue for months, and we've updated the cert many times, using different claimed solutions online. Please advise.

Osiris · December 7, 2021, 9:57am

Your webserver currently is only sending the end leaf certificate without the proper intermediate. You need to configure your webserver either using cert.pem and chain.pem or use fullchain.pem. Please consult your webservers documentation on how to do that.

MikeMcQ · December 7, 2021, 3:22pm

Just adding to what @Osiris said:

First, you can verify your server is sending the right chain using a site like this one:
https://decoder.link/sslchecker/gallery.vote/443

I found these Twisted docs:
https://twistedmatrix.com/documents/21.2.0/api/twisted.internet.ssl.CertificateOptions.html

Their docs in general are not very helpful but you might try using the chain.pem file from Certbot as your extraCertChain value when setting up the server ssl options.

If that does not work getting help directly from Twisted or its community is best.

illuzen · December 8, 2021, 6:21am

You're right. It works on nginx, but not twistd. I'm passing the fullchain.pem to the server in the command, but it's not sending the whole thing... seems like a bug on their end and the docs aren't very helpful, as you say. Perhaps I'll try a different python server. What a mess.

illuzen · December 8, 2021, 6:22am

Or maybe I should just put NGINX in front of it as a reverse proxy and put the cert there...

illuzen · December 8, 2021, 6:36am

Boom reverse proxy worked, thanks team.

system · January 7, 2022, 6:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.