如何解决Twilio 使用 Twisted Web Server 拒绝 LetsEncrypt 证书并显示“证书无效”错误 11237
我在 Ubuntu 18.04 服务器上运行 python3(版本 3.6.9)Twisted(版本 18.4.0)。此服务器用于 Twilio 的 webhook。 webhooks 在 http 上工作正常。我安装了一个 LetsEncrypt 证书,LetsEncrypt ssl 证书适用于通过 FireFox 浏览器提供 https 服务。
但是,当我将 twilio 指向 webhook 的 https 版本时,我在 twilio 调试器控制台中收到以下错误:
Error - 11237
Certificate Invalid - Could not find path to certificate
Twilio tried to validate your SSL certificate but was unable to find it in our certificate store. Possible Causes
You are using a self signed certificate.
The certificate authority you are using is not on our list of approved certificate authorities.
Your certificate chain is incomplete and requires an additional download.
Possible Solutions
Do not use a self signed certificate.
Concatenate your certificate chain so that no additional download is required.
Twilio uses CAs that are approved by Mozilla,you can find the full list here.
For testing purposes you can disable SSL Certificate Validation in Console.
如果我按照 Twilio 的建议在控制台中禁用 SSL 证书验证,则 webhook 会起作用。我不想禁用 SSL 证书验证。
这是我在服务器上运行的代码的自包含示例:
import sys
from klein import Klein
from twisted.web.server import Site
from twisted.internet import reactor
from twisted.internet.endpoints import serverFromString
from twisted.python.log import startLogging
from [redacted] import get_data_folder_location
startLogging(sys.stdout)
klein_app = Klein()
path_to_letsencrypt_keys = get_data_folder_location()
#lensencrypt keys have been copied locally from /etc/letsencrypt/live/domain and chowned from root to local group:user
endpoint_description = "ssl:443:privateKey={0}/privkey.pem:certKey={0}/fullchain.pem".format(path_to_letsencrypt_keys)
klein_resource = klein_app.resource()
serverFromString(reactor,endpoint_description).listen(Site(klein_resource))
reactor.run()
这是自包含样本的日志输出: 注意:日志最后一行的 404 是我使用 FireFox 通过 ssl 访问该站点,这表明 FireFox(因此 Mozilla)对 letencrypt ssl 证书没问题
2021-04-26 17:54:58+0000 [-] Log opened.
2021-04-26 17:54:58+0000 [-] Site (TLS) starting on 443
2021-04-26 17:54:58+0000 [-] Starting factory <twisted.web.server.Site object at 0x7fe3c57aa048>
2021-04-26 17:55:18+0000 [-] "redacted" - - [26/Apr/2021:17:55:18 +0000] "GET / HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"
最后,这是 Qualys SSL 报告的 2 个屏幕截图
我的问题:如何让 Twilio 接受我的 LetsEncrypt 证书?
解决方法
看起来 Twisted 在加载 fullchain.pem
时出现问题。
您需要按照 here 所述手动加载链。
from OpenSSL import crypto
from twisted.internet import ssl
privkey=open('{0}/privkey.pem'.format(path_to_letsencrypt_keys),'rt').read()
certif=open('{0}/cert.pem'.format(path_to_letsencrypt_keys),'rt').read()
chain=open('{0}/chain.pem'.format(path_to_letsencrypt_keys),'rt').read()
privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM,privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM,certif)
chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM,chain)]
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl,certificate=certifpyssl,extraCertChain=chainpyssl)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。