Python聊天服务器客户端错误无法获取本地颁发者证书,无法验证第一个证书(即使是中间证书)

2024-03-29 14:36:50 发布

您现在位置:Python中文网/ 问答频道 /正文

编辑:由LetsEncrypt论坛的好人解决。在我的证书链中的一个证书之间有一个额外的空间,它设法打破了一切。把这个留给其他人和未来的我,他们可能会碰到这个

我用Python编写了一个CLI聊天程序的服务器和客户端,并使用Ansible、Terraform和Docker进行了部署。为了保护它,我已经从LetsEncrypt生成了一个证书,但是当验证被启用时,客户端会一直失败,“无法获取本地颁发者证书”。显然,这通常是由于不包括完整的证书链造成的,但正如您在这个openssl s_客户端输出中看到的,所有证书都存在:

openssl s_client -connect $hostname:12345
CONNECTED(00000003)
depth=0 CN = $hostname
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = $hostname
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = $hostname
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
AAAAB3NzaC1yc2EAAAADAQABAAACAQDDfgrt1lB5O0CDV+KYY6oRBGAnrrdGdHZ
AZw42obpBaqE8QCqrIDYj4n+Dpc/3lCp0VzubJyCv6nU9JkHnNlmxzDBddlN1/s
/q1l8zas8ZzVG36AmUn/n7OdzeZYTwxGExZ4gI4Ob5DD/8+sByzDRi+XFmGXIEg
/AdozE74j3EqpIfI48n3Q8l7F60psQWbPl63wmxkciDglSBxQ8WQjpiK9BpRTcM
1jxTvSg49wiPKtQfNXXyAXLrW+wRmZqKJEWgOKM+yRBul2PsSmBuihAuUROt5nM
/xmFkKIPHBbWFsE2uw0Kf0FZSxULukJ71qhaYnAlvrRJCFjOtEMpgU0luQMqoV6
8/cQj2EjGUfiBgG3vipZekpK4n4Cuaf4wnLXnl0kYE/8RLVYvNgxO7ZHhw+KQGP
PkTXIDOngMfo+S64zs+OWu3MsKjuK1hEUK/wsZJoYfq2kvLS88M85SpbZc3jM9g
yQbPlPowquTFbMD7XWlsGl8EDnF0UHu9zd1DOeAzFZZNnjo7yYZZdneaSDWKFOu
7bshKZ6vylWMo343G7aan2/BrBAg44mIMvtx00gzQeAH6SlGy6VekACOo02NEYv
VR8sDdRfgYOGKMQCAs4EHnVoJBmyzzBK1FjxiUs0JLiVfrBXUVFrmyvV5ZuSoQd
AAAAB3NzaC1yc2EAAAADAQABAAACAQDDfgrt1lB5O0CDV+KYY6oRBGAnrrdGdHZ
AZw42obpBaqE8QCqrIDYj4n+Dpc/3lCp0VzubJyCv6nU9JkHnNlmxzDBddlN1/s
/q1l8zas8ZzVG36AmUn/n7OdzeZYTwxGExZ4gI4Ob5DD/8+sByzDRi+XFmGXIEg
/AdozE74j3EqpIfI48n3Q8l7F60psQWbPl63wmxkciDglSBxQ8WQjpiK9BpRTcM
1jxTvSg49wiPKtQfNXXyAXLrW+wRmZqKJEWgOKM+yRBul2PsSmBuihAuUROt5nM
/xmFkKIPHBbWFsE2uw0Kf0FZSxULukJ71qhaYnAlvrRJCFjOtEMpgU0luQMqoV6
8/cQj2EjGUfiBgG3vipZekpK4n4Cuaf4wnLXnl0kYE/8RLVYvNgxO7ZHhw+KQGP
PkTXIDOngMfo+S64zs+OWu3MsKjuK1hEUK/wsZJoYfq2kvLS88M85SpbZc3jM9g
yQbPlPowquTFbMD7XWlsGl8EDnF0UHu9zd1DOeAzFZZNnjo7yYZZdneaSDWKFOu
7bshKZ6vylWMo343G7aan2/BrBAg44mIMvtx00gzQeAH6SlGy6VekACOo02NEYv
VR8sDdRfgYOGKMQCAs4EHnVoJBmyzzBK1FjxiUs0JLiVfrBXUVFrmyvV5ZuSoQd
nzxAtQfe0O5rPtP36/VUQ
-----END CERTIFICATE-----
subject=CN = $hostname

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3260 bytes and written 387 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DD92F8B78D366FDDAD916309267D6FD0CBB8E67D9E5F1CCA9169C8C66055696C
    Session-ID-ctx: 
    Resumption PSK: DD250254F9F199AD9117C4FE70AE9C246020D05896F12BE962912B46BD6C689A5A1F4F6943ADCBF270A8E46BA459D333
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2f 8d 11 a1 12 75 78 db-cb a8 6b 0d 7e 8e 28 f1   /....ux...k.~.(.
    0010 - 8a 07 40 7d 1d 33 81 8f-b4 f9 c7 6c f3 33 96 85   ..@}.3.....l.3..
    0020 - 7c 65 ce 2c 36 f6 5c 0e-63 e0 56 45 3a f6 90 97   |e.,6.\.c.VE:...
    0030 - b4 44 9c 65 cf 2c 21 19-1c b9 71 3b b7 4f 7c de   .D.e.,!...q;.O|.
    0040 - e5 63 fa ad 6b f7 e3 be-5d cc 19 4e 99 ae aa 5d   .c..k...]..N...]
    0050 - d8 8d 6b 3c d5 39 6e 10-8b d0 15 d3 42 05 6e 4a   ..k<.9n.....B.nJ
    0060 - d4 10 81 37 42 bc c6 85-81 a1 56 59 dd 48 cf 77   ...7B.....VY.H.w
    0070 - 98 0c 33 4c be 48 f2 a2-25 c9 e6 82 c9 83 93 2f   ..3L.H..%....../
    0080 - 09 8f 0c 81 82 70 ef e5-92 2f 8f 17 aa 25 f2 65   .....p.../...%.e
    0090 - 0c 24 59 95 b0 d5 c4 e8-50 eb bb 86 e9 dd 6a 2d   .$Y.....P.....j-
    00a0 - 46 80 2a 75 7d 33 ec 8c-eb f5 4d 23 c1 bb bc 39   F.*u}3....M#...9
    00b0 - 2f f4 9c af fd 93 bb f3-4f 03 c6 4e 49 b6 8b b6   /.......O..NI...
    00c0 - 43 d9 af 0c 2e 4a ce ce-7d 61 f9 a3 6c 98 0a 42   C....J..}a..l..B

    Start Time: 1621755879
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8A4D19F77A1D7FBF838C7F8293A66E81BC053C7BF09AB240686BBD6C05EEC46F
    Session-ID-ctx: 
    Resumption PSK: 102D108EBC577EA1B9FBF72E71FA908767BCC7F755AA766384C772F6FE4016A079CEDF3169329B4557DA2678F2855577
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 2f 8d 11 a1 12 75 78 db-cb a8 6b 0d 7e 8e 28 f1   /....ux...k.~.(.
    0010 - 17 c7 bc b0 7c af c7 69-da 04 8d 39 33 12 b6 83   ....|..i...93...
    0020 - 50 89 60 90 93 73 37 7e-30 84 5b 84 ba 60 83 51   P.`..s7~0.[..`.Q
    0030 - 92 a9 63 6b 6b a5 a7 a5-cc bd 09 7f 1f 43 3e ed   ..ckk........C>.
    0040 - dd 4e f1 5b 1e 77 75 59-dd 61 d2 77 9b b9 c0 c2   .N.[.wuY.a.w....
    0050 - b1 9b a4 c6 2b f9 95 96-0b 15 17 5f 5e 11 50 90   ....+......_^.P.
    0060 - 54 84 fc a3 39 d2 3c 43-5d c8 dd 52 b8 f3 11 a9   T...9.<C]..R....
    0070 - ae fd 0b 91 d2 9f e5 28-6a d5 66 7f b0 7c 06 98   .......(j.f..|..
    0080 - 40 06 3a 2f 28 e2 58 fc-a0 58 a1 af 62 6f df 12   @.:/(.X..X..bo..
    0090 - 56 69 16 db c1 24 4b dd-6b 87 3a 63 91 1d e6 1d   Vi...$K.k.:c....
    00a0 - 8f 61 9c 18 b6 db 1c 15-5c 3d a8 a4 fd 4e 44 3b   .a......\=...ND;
    00b0 - aa 03 6f 69 f6 55 5a b9-5c d3 73 ae bd 32 a5 03   ..oi.UZ.\.s..2..
    00c0 - 49 5c 9b 06 68 be 99 fb-9a 39 a1 a5 80 e8 04 eb   I\..h....9......

    Start Time: 1621755879
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---

这是在服务器上加载证书的上下文:

self.context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) # Context wrapper to apply TLS over sockets
self.context.load_cert_chain(certfile='acme_chain.pem', keyfile="acme_key.pem")

我将编辑添加,我使用的Terraform ACME模块提供给我的链有3个证书长,为我提供了站点证书、Let's Encrypt's证书和ISRG RootX1证书以及一个密钥pem文件。DST根CA是丢失的证书吗?如果是这样,我将不得不提交一份bug报告并找到另一个ACME客户端

不可能是这样的。方便的是,他们拥有完全相同的链,只有3个证书


Tags: thetononereturnsessiontlscertificatecn