I'm pretty happy with the solution I found for my SSL problems against letsencrypt the other day, so I wrote a quick post about it: https://ttimo.typepad.com/blog/2025/01/certificate-verification-of-sites-backed-by-letsencrypt-certificates-in-python.html #python #letsencrypt
=> More informations about this toot | More toots from TTimo@mastodon.social
@TTimo "but they are smart enough to download it on the fly to verify the chain." Yes, that can happen, if there is the AIA extension in the certificate (see http://pkiglobe.org/auth_info_access.html) but also normally most of the time they don't even need to, because the server is expected to send, not only his certificate, but also the chain needed to go from it to one of trusted root (with some uncertainties here between root CAs known by client=browser and those known by server=website).
=> More informations about this toot | More toots from pmevzek@framapiaf.org
@TTimo BTW your certificate has the AIA extension.
=> More informations about this toot | More toots from pmevzek@framapiaf.org
@pmevzek yeah that's how it works for browsers I suppose. Could google fix this if they wanted to?
The app engine interface only lets you upload one certificate, so you have to give it your site's. They'd have to walk the chain on the backend and have their server feed everything correctly.
(or python growing support for AIA - which it may already have I suppose if you pick the right SSL backend)
=> More informations about this toot | More toots from TTimo@mastodon.social
@TTimo I guess you upload a PEM file right? Did you try to concatenate the intermediate certificate and your certificate in same file and upload that? This is totally legit and usual way to do things. All servers send the chain normally, one not doing that is especially out of the line.
=> More informations about this toot | More toots from pmevzek@framapiaf.org
@pmevzek good idea!
I went back and checked, and the appengine interface has two boxes, in the first one you upload the full chain X.509, which does contain the R10, and in the other one it only accepts a single private key in RSA format.
So I'm already supplying the complete info, and there is no other way for me to package things up.
tl;dr looks like it's a problem that only google could fix.
=> More informations about this toot | More toots from TTimo@mastodon.social
@TTimo I have no experience with Google AppEngine so no ideas why things are like that for now and hence sorry not to be able to help you for real further, but I am both surprised and obviously sad if things do not work as they should out of the box on that platform, as servers sending chain of certificates is neither rocket science nor anything new, everyone does that since... forever. So it is very strange.
=> More informations about this toot | More toots from pmevzek@framapiaf.org
@TTimo Command line tool will have the exact same problem, curl -v https://core-drones.corecomplex.cc/testSSL shows "curl: (60) SSL certificate problem: unable to get local issuer certificate". All because your server returns only its own certificate (subject=CN=core-drones.corecomplex.cc) and not any part of the chain. If you reconfigure it to also send the chain (aka R10), then all (modern) clients will be fine, including Python. See https://letsencrypt.org/certificates/
=> More informations about this toot | More toots from pmevzek@framapiaf.org This content has been proxied by September (ba2dc).Proxy Information
text/gemini
