Pyopenssl, twisted: server's certificate chain is incomplete

mostafachatillon · August 4, 2016, 12:18pm

I want to use let’s encrypt on my twisted server (Ubuntu 14.04 on AWS EC2), but on the latest Chrome for Android, I receive:

the identity of this website has not been verified

Similar message on the latest Firefox for Ubuntu.

My SSL Report from ssllabs.com:

This server’s certificate chain is incomplete. Grade capped to B.

and notably:

2 Extra download Let’s Encrypt Authority X3

My relevant code:

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('/etc/letsencrypt/live/mindolia.com/privkey.pem', 'rt').read() certif=open('/etc/letsencrypt/live/mindolia.com/fullchain.pem', 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)

contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl)

Osiris · August 4, 2016, 12:59pm

twisted.internet.ssl.CertificateOptions : API documentation :

extraCertChain List of certificates that complete your verification chain if the certificate authority that signed your certificate isn't widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509)

Apparently, the certificate option can only load the end leaf certificate (cert.pem). You should add the chain (chain.pem) manually.

So this should work, I think:

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('/etc/letsencrypt/live/mindolia.com/privkey.pem', 'rt').read()
certif=open('/etc/letsencrypt/live/mindolia.com/cert.pem', 'rt').read()
chain=open('/etc/letsencrypt/live/mindolia.com/chain.pem', 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
chainpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,chain)
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)

Good luck!

mostafachatillon · August 4, 2016, 1:19pm

It does not work:

TypeError: 'X509' object is not iterable

crypto.load_certificate returns a ‘X509’ object, but extraCertChain needs a LIST of OpenSSL.crypto.X509.

I need to unfold this chain.pem into a list of X509. But I do not know how yet.

Osiris · August 4, 2016, 1:38pm

Does adding square brackets (the Python way of making lists I think) help?:

chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM,chain)]

mostafachatillon · August 4, 2016, 1:46pm

It works, thanks a lot!!!

system · September 3, 2016, 1:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL: CERTIFICATE_VERIFY_FAILED with Lets encrypt Server	5	11941	May 12, 2017
Https://helloworld.letsencrypt.org/ - Your connection is not private	7	3299	May 4, 2021
Will/does the letsencrypt client create a cert chain usable with OCSP stapling? Server	18	25572	January 14, 2016
I'm not able to start nginx without the let's encrypt certs, and I'm not able to get the let's encrypts certs, without starting nginx server Help	6	4101	June 21, 2021
Intermediate certificate for Let's Encrypt Help	12	6055	December 9, 2016

Pyopenssl, twisted: server's certificate chain is incomplete

Related topics