How do I map the pem files to python's SSLSocket parameters


#1

I trying to use Let’s Encrypt certs with internal test code written in python. I’ve got the certs (using the standard script on my web server) now I need to setup my python code. I’ve been using self-signed certs which work ok but are not trusted by the browser of course. I’m not sure how the four pem files map to the various named args of the ssl.wrap_socket() function or SSLSocket constructor. Here’s my old code:

server = BaseHTTPServer.HTTPServer(('127.0.0.1', 9999), Handler)
server.socket = ssl.wrap_socket(server.socket, certfile='./server.pem', server_side=True)
server.serve_forever()

The ssl.wrap_socket() has these named args:

certfile
keyfile
ca_certs

Which of these files map to the above arguments?

cert.pem
chain.pem
fullchain.pem
privkey.pem

The python library docs were not much help.

Thanks
-Mike


#2

From my reading of those Python docs:

certfile = fullchain.pem
keyfile = privkey.pem

But don’t mind me, I’m just a Perl programmer. :smile:


#3

As kjb wrote,

Just in case it helps to expand a little more, I will now ramble. Firstly, the four files certbot / letsencrypt is making are

  1. privkey.pem is your private key. This must be kept entirely private. Unlike secrets, private keys aren’t something one other person knows, nobody except you should know them. The certbot software creates one for you and doesn’t tell Let’s Encrypt what was picked.
  2. cert.pem is just your certificate, signed by Let’s Encrypt, saying they checked and you really control the name on the certificate and you have a private key (which they don’t know) that corresponds to a public key (which everybody now knows) in the certificate. Certificates are public documents. In fact Let’s Encrypt automatically publishes every certificate it issues to a system called Certificate Transparency.
  3. chain.pem is one or more Intermediate certificates which follow a “chain” back, with B signing A, then C signing B and so on until it reaches a Trusted Certificate Authority.
  4. fullchain.pem is a combination of cert.pem with chain.pem to produce a list of all certificates needed by a third party

The Python code allows a chain of certificates in a single file, so cert.pem and chain.pem aren’t important you can just put fullchain.pem and it’ll figure it out, and although it allows you to bundle the private key together with the certificate in a single file, Let’s Encrypt doesn’t do that because end users get confused and think they’ve just got a “certificate” and don’t realise the vital private key is in the same file. If they send this private key to someone without realising its importance, the security of their system is compromised badly.


#4

I’ve recently set up a Python HTTPS webserver. I used
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='path/to/fullchain.pem', keyfile=path/to/privkey.pem' ,server_side=True, ssl_version=ssl.PROTOCOL_TLSv1_2)

You don’t need to set the SSL version but I did because if I didn’t the socket would potentially use SSL3,which is bad.
I only knew to use the different ssl version after testing my server here.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.


Help with certbot on the new "Amazon Linux 2"