Pyopenssl, twisted: server's certificate chain is incomplete


#1

My website is: mindolia.com

I want to use let’s encrypt on my twisted server (Ubuntu 14.04 on AWS EC2), but on the latest Chrome for Android, I receive:

the identity of this website has not been verified

Similar message on the latest Firefox for Ubuntu.

My SSL Report from ssllabs.com:

This server’s certificate chain is incomplete. Grade capped to B.

and notably:

2 Extra download Let’s Encrypt Authority X3

My relevant code:

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('/etc/letsencrypt/live/mindolia.com/privkey.pem', 'rt').read() certif=open('/etc/letsencrypt/live/mindolia.com/fullchain.pem', 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)

contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl)


#2

https://twistedmatrix.com/documents/14.0.0/api/twisted.internet.ssl.CertificateOptions.html :

extraCertChain List of certificates that complete your verification chain if the certificate authority that signed your certificate isn’t widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509)

Apparently, the certificate option can only load the end leaf certificate (cert.pem). You should add the chain (chain.pem) manually.

So this should work, I think:

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('/etc/letsencrypt/live/mindolia.com/privkey.pem', 'rt').read()
certif=open('/etc/letsencrypt/live/mindolia.com/cert.pem', 'rt').read()
chain=open('/etc/letsencrypt/live/mindolia.com/chain.pem', 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
chainpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,chain)
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)

Good luck!


#3

It does not work:

TypeError: 'X509' object is not iterable

crypto.load_certificate returns a ‘X509’ object, but extraCertChain needs a LIST of OpenSSL.crypto.X509.

I need to unfold this chain.pem into a list of X509. But I do not know how yet.


#4

Does adding square brackets (the Python way of making lists I think) help?:

chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM,chain)]

#5

It works, thanks a lot!!!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.