Pyopenssl, twisted: server's certificate chain is incomplete

Osiris · August 4, 2016, 12:59pm

twisted.internet.ssl.CertificateOptions : API documentation :

extraCertChain List of certificates that complete your verification chain if the certificate authority that signed your certificate isn't widely supported. Do not add certificate to it. (type: list of OpenSSL.crypto.X509)

Apparently, the certificate option can only load the end leaf certificate (cert.pem). You should add the chain (chain.pem) manually.

So this should work, I think:

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('/etc/letsencrypt/live/mindolia.com/privkey.pem', 'rt').read()
certif=open('/etc/letsencrypt/live/mindolia.com/cert.pem', 'rt').read()
chain=open('/etc/letsencrypt/live/mindolia.com/chain.pem', 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
chainpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,chain)
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)

Good luck!

Topic		Replies	Views
SSL: CERTIFICATE_VERIFY_FAILED with Lets encrypt Server	5	11958	May 12, 2017
Https://helloworld.letsencrypt.org/ - Your connection is not private	7	3300	May 4, 2021
Will/does the letsencrypt client create a cert chain usable with OCSP stapling? Server	18	25578	January 14, 2016
I'm not able to start nginx without the let's encrypt certs, and I'm not able to get the let's encrypts certs, without starting nginx server Help	6	4114	June 21, 2021
Intermediate certificate for Let's Encrypt Help	12	6077	December 9, 2016

Pyopenssl, twisted: server's certificate chain is incomplete

Related topics