Twilio 使用 Twisted Web 服务器拒绝带有 "Certificate Invalid" 错误 11237 的 LetsEncrypt 证书

Twilio rejecting LetsEncrypt Cert with "Certificate Invalid" error 11237 using Twisted Web Server

我 运行 python3(版本 3.6.9)Twisted(版本 18.4.0)在 Ubuntu 18.04 服务器上。此服务器用于 Twilio 的 webhook。 Webhooks 在 http 上工作正常。我安装了 LetsEncrypt 证书,LetsEncrypt ssl 证书可以很好地通过 FireFox 浏览器提供 https。

但是,当我将 twilio 指向 webhook 的 https 版本时,我在 twilio 调试器控制台中收到以下错误:

Error - 11237
Certificate Invalid - Could not find path to certificate

Twilio tried to validate your SSL certificate but was unable to find it in our certificate store. Possible Causes

    You are using a self signed certificate.
    The certificate authority you are using is not on our list of approved certificate authorities.
    Your certificate chain is incomplete and requires an additional download.

Possible Solutions

    Do not use a self signed certificate.
    Concatenate your certificate chain so that no additional download is required.
    Twilio uses CAs that are approved by Mozilla, you can find the full list here.
    For testing purposes you can disable SSL Certificate Validation in Console.

如果我按照 Twilio 的建议在控制台中禁用 SSL 证书验证,webhooks 就会工作。我不想禁用 SSL 证书验证。

这是我在服务器上 运行 的独立代码示例:

import sys
from klein import Klein
from twisted.web.server import Site
from twisted.internet import reactor
from twisted.internet.endpoints import serverFromString
from twisted.python.log import startLogging
from [redacted] import get_data_folder_location

startLogging(sys.stdout)

klein_app = Klein()

path_to_letsencrypt_keys = get_data_folder_location()
#lensencrypt keys have been copied locally from /etc/letsencrypt/live/domain and chowned from root to local group:user
endpoint_description = "ssl:443:privateKey={0}/privkey.pem:certKey={0}/fullchain.pem".format(path_to_letsencrypt_keys)

klein_resource = klein_app.resource()
serverFromString(reactor, endpoint_description).listen(Site(klein_resource))
reactor.run()

这是独立示例的日志输出: 注意:日志最后一行的 404 是我使用 FireFox 通过 ssl 访问站点,这表明 FireFox(以及 Mozilla)可以使用 letsencrypt ssl cert

2021-04-26 17:54:58+0000 [-] Log opened.
2021-04-26 17:54:58+0000 [-] Site (TLS) starting on 443
2021-04-26 17:54:58+0000 [-] Starting factory <twisted.web.server.Site object at 0x7fe3c57aa048>
2021-04-26 17:55:18+0000 [-] "redacted" - - [26/Apr/2021:17:55:18 +0000] "GET / HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"

最后,这是 Qualys SSL 报告的 2 个屏幕截图

我的问题:如何让 Twilio 接受我的 LetsEncrypt 证书?

Twisted 似乎在加载 fullchain.pem.

时出现问题

您需要按照here所述手动加载链。

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('{0}/privkey.pem'.format(path_to_letsencrypt_keys), 'rt').read()
certif=open('{0}/cert.pem'.format(path_to_letsencrypt_keys), 'rt').read()
chain=open('{0}/chain.pem'.format(path_to_letsencrypt_keys), 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM, privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM, certif)
chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM, chain)]
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl, extraCertChain=chainpyssl)