Certificate not trusted on mobile device even using fullchain [web.py]


#1

Hi,

I’m trying to setup a ssl cert on a server runned by web.py
Everything works fine except on Safari in iOS9, in which the cert is not trusted.

I’m using that config as suggested here

CherryPyWSGIServer.ssl_certificate = "/etc/letsencrypt/live/my_domain/cert.pem"
CherryPyWSGIServer.ssl_private_key = "/etc/letsencrypt/live/my_domain/privkey.pem"
CherryPyWSGIServer.ssl_certificate_chain = "/etc/letsencrypt/live/my_domain/fullchain.pem"

I tried multiple combination, like replacing ssl_certificate with chain/fullchain.pem …etc

In every case, browsing the website from my mac results in a fully trusted certificate, but Safari throws an error.

SSLShopper tells me that

"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain 
certificate to link it to a trusted root certificate. Learn more about this error. 
The fastest way to fix this problem is to contact your SSL provider."

Using the fullchain, I should be using intermediate cert, right ?

Any suggestion please ?


#2

Strictly speaking you should use ór cert.pem+chain.pem ór fullchain.pem.

You can test your server with SSLLabs, it should notify you of chain issues.


#3

Thanks for your answer.

I got a message telling This server's certificate chain is incomplete. Grade capped to B.

I tried to change my configuration as you suggested, using only fullchain, with same result:

CherryPyWSGIServer.ssl_certificate = "/etc/letsencrypt/live/my_domain/fullchain.pem"
CherryPyWSGIServer.ssl_private_key = "/etc/letsencrypt/live/my_domain/privkey.pem"

Alternatively, I tried

CherryPyWSGIServer.ssl_certificate = "/etc/letsencrypt/live/my_domain/cert.pem"
CherryPyWSGIServer.ssl_private_key = "/etc/letsencrypt/live/my_domain/privkey.pem"
CherryPyWSGIServer.ssl_certificate_chain = "/etc/letsencrypt/live/my_domain/chain.pem"

And it doesn’t work neither… Any idea ?


#4

If you want to give me the server’s address, I will try to see what’s going on…


#5

Thanks, I MP’d you the hostname


#6

OK, I identified the final cause of the problem. Pull Request https://github.com/webpy/webpy/pull/319 is NOT yet added to the master branch, so when you download the code you download it without the appropriate patch, which allows SSL Cert chains. So, you may possibly download the code, apply the patch manually and then, compile and deploy to the web server.


#7

Thanks again @Jason for helping me finding the issue.

For anyone having the same problem, apply the patch manually or use that fork:

git clone https://github.com/Tibabal/webpy.git
ln -s pwd/webpy/web .