Requests: Add let's encrypt ca certificates to trusted certs

Created on 24 Jun 2016  路  9Comments  路  Source: psf/requests

IMO requests should trust let's encrypt issued certs: www.letsencrypt.org

picture maxnoe

Most helpful comment

Glad to hear that Requests is of a level of quality that it accidentally led you to fix your improperly configured server.

We should start selling a security audit edition license for corporations :)

picture kennethreitz42 on 25 Jun 2016
😄4

All 9 comments

Do you have evidence that we don't?

If so, can you share the URL and version of requests, Python, and openssl?

Sent from my Android device with K-9 Mail. Please excuse my brevity.

sigmavirus24 picture sigmavirus24 on 25 Jun 2016

Requests does trust LE: LE uses a cross signed root that we have chained up to for years.

Lukasa picture Lukasa on 25 Jun 2016

MMh, then why do I get an SSL error when I request https://auxdb.app.tu-dortmund.de? It is using a letsencrypt certificate and all browsers I tried trust this certificate.

requests.get('https://auxdb.app.tu-dortmund.de')

I added the 4 intermediate certificates of letsencrypt to my systems ca-certificates:
https://letsencrypt.org/certificates/

This works:

requests.get('https://auxdb.app.tu-dortmund.de', verify='/etc/ssl/certs/ca-certificates.crt')
maxnoe picture maxnoe on 25 Jun 2016

What version of requests do you have installed, what packages on your system do you have installed, what OS are you on, and what OpenSSL version do you have?

Lukasa picture Lukasa on 25 Jun 2016

Are you saying that you can request the given url without ssl error?

maxnoe picture maxnoe on 25 Jun 2016

@MaxNoe The server does not server the intermediate certificate(s) like it should (browser cache them from other sites, so it may work)
Compare:

$ openssl s_client -connect auxdb.app.tu-dortmund.de:443 -CAfile /etc/ssl/certs/ca-certificates.crt
...
Certificate chain
 0 s:/CN=git.e5.physik.tu-dortmund.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
Verify return code: 21 (unable to verify the first certificate)

$ openssl s_client -connect t-8ch.de:443 -CAfile /etc/ssl/certs/ca-certificates.crt
...
Certificate chain
 0 s:/CN=t-8ch.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
...
Verify return code: 0 (ok)

Certbot saves the chain to chain.pem and fullchain.pem (including the leaf cert).

t-8ch picture t-8ch on 25 Jun 2016

Mhh, ok. So it's a problem on the other hand. Sorry to bother.

maxnoe picture maxnoe on 25 Jun 2016

Ok, got it. I use a python script to upload the certificates obtained by letsencrypt into the rancher api. I got the keyword for the chain cert wrong. Everything works now.

maxnoe picture maxnoe on 25 Jun 2016

Glad to hear that Requests is of a level of quality that it accidentally led you to fix your improperly configured server.

We should start selling a security audit edition license for corporations :)

kennethreitz42 picture kennethreitz42 on 25 Jun 2016
😄4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

8key picture 8key  路  3Comments
iLaus picture iLaus  路  3Comments
mitar picture mitar  路  4Comments
NoahCardoza picture NoahCardoza  路  4Comments
Gonzalliz picture Gonzalliz  路  3Comments