Hi all,
searched a lot but did not figure out the reason. I had a https webserver running on my local mac-mini with no noticeable issue months ago, using certbot. But now the same https-web was blocked by Chrome (not secure) and was warned 'weak encryption' by Firefox. (check demo: https://wklytics.com)
The webserver is python twisted, with hostname purchased from no-ip.com (who told me issue is not on their side..). Checked and searched twisted python script, it is using default openssl (not sure this will be the issue or not). Hope some experts could help.
------- standard questions -------------------------
My domain is: https://wklytics.com
I ran this command:
certbot: started a year ago with no issue,
'certbot certonly --webroot -w xxpath -d wklytics.com'
'certbot renew': shows the current cert is still good
It produced this output:
It showed 'weak encryption connection is not secure' in Firefox and blocked in Chrome (i.e. https://wklytics.com). Strangely, this issue was not there when it was started.
My web server is (include version):
python 2.7.14, twisted 19:10.0
The operating system my web server runs on is (include version):
mac-mini: macOS 10.10.5
My hosting provider, if applicable, is:
Hosting on my local mac (I purchase domain name from no-ip.com)
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
bash (python script to run web server)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.26.1
Your certificate has only the non-www version, so your www version isn't secure and has the wrong certificate. Create one certificate with both domain names
your chain is incomplete - use fullchain.pem instead of cert.pem
your non-www uses Tls.1.0, that's your browser warning
Your certificate has only the non-www version, so your www version isn't secure and has the wrong certificate. Create one certificate with both domain names
How do I do this with certbot? I thought 'certbot certonly --webroot -w xxpath -d http:wklytics.com' will take care *.wklytics.com as wildcard? Also, if I want to keep 'http://www.wklytics.com' and only wants to run https on 'https://wklytic.com', is this fine with the current setup? or I need to change?
your chain is incomplete - use fullchain.pem instead of cert.pem
Any reference on how to do this? I am ignorant no this.
your non-www uses Tls.1.0, that's your browser warning
RSAKeyExchange and SHA1 may be a result
Tls.1.2 is missing, that's bad
How I should change? Is this related I have both 'http' and 'https' running? but they are using different ports...
If you are the only user and if you use the non-www, you can ignore that problem. If there are other users, you don't know if they use the www version. So you should fix that.
Other problems - check the documentation of your system how to change that.
Hi [quote="danb35, post:4, topic:134472, full:true"]
Why would you expect certbot to add a hostname to your cert that you didn't tell it to add?
You are right. I misunderstood what I did before.
The protocol isn't part of the domain name, so it would be -d wylytics.com, not -d http:wklytics.com
Typo, my fault: this part has no issue, as I did as you did.
You can't get a wildcard cert with HTTP validation (which is the only kind available with the webroot method)
Surely this, as well as the rest of your questions, would be addressed in the documentation for the web server?
[/quote]
I am the only user for those two. The www came too early for other things. It wil involve too much test before change to https. Idea is to migrate this later, after I have one https working.
JuergenAuer, besides the change of python web setup, how other issues can be fixed?
how to use fullchain.pem.
how should I change tls1.0 to tsl1.2? Is this because of my twisted server or other issues.
Thanks
Twisted is a bit overwhelming for experienced developers and serves a niche segment of the Python community. I've been using it for many years, though not for web services in quite some time, but I think I can safely say you're not going to find the help you need here regarding configuring your application/twistd with the right certs. You should be able to find the help you need on Twisted's mailing list though. The problems you're having right now are most likely because recent browser updates are not okay with your SSL implementation in Twisted.
A potential alternative is to run a webserver like Nginx in front of twisted, and have that server configured with the SSL certificates and terminate SSL there. In that scenario, Twisted handles everything as HTTP traffic and you don't have to worry about the SSL configuration there. That option may not be compatible with your application design though. As someone who has written web services in Twisted, I think this is a much better option if it is available to you
By the way, how do you get those status data about the website? Is that from some public site?
As well as the check on my website, it is strange why it is related Amazon? Might want to check it again.
Thanks,
Great tool for checking website.
For the fullchain pem, is this my major cause of warning? or this is optional fix?
I will also try to play around tls1.2 in python + twisted and see.
Thanks,
pyOpenSSL supports both a use_certificate_file and use_certificate_chain_file. I assume the latter is more applicable. I'm not sure what Twisted devs recommend; I wouldn't be surprised if they subclass and override.
In any event, here's a link to some nginx docs on the proxypass.
Thanks for suggestion. Just need to write a new class.
use fullchain
from OpenSSL import SSL
class ChainedOpenSSLContextFactory(ssl.DefaultOpenSSLContextFactory):
def init(self, privateKeyFileName, certificateChainFileName,
sslmethod=SSL.SSLv23_METHOD):
""" @param privateKeyFileName: Name of a file containing a private key @param certificateChainFileName: Name of a file containing a certificate chain @param sslmethod: The SSL method to use (best flexibility is SSLv23_METHOD
"""
self.privateKeyFileName = privateKeyFileName
self.certificateChainFileName = certificateChainFileName
self.sslmethod = sslmethod
self.cacheContext()