Ah, right. Seems Chrome changed it's behavior .. at one point it wasn't able to
load intermediate certs .. and hence I assumed from the dialog that Twisted
cert has the intermediate cert contained. Wrong.
FWIW, you can manually concatenate certs .. this is what we do (also for
StartSSL):
$ cat myserver_plain_cert.crt > myserver.crt
$ cat ../sub.class1.server.sha2.ca.pem >> myserver.crt
$ cat ../ca.pem >> myserver.crt
A concatenated cert like above works today without the new code that is
upcoming in Twisted. Which is cool also.
However: this all does not explain (at least I dont understand) why the OP has
that issue showing up .. Firefox is able to load intermediate CA certs from the
net .. I have seen it .. also for StartSSL certs. Something is breaking this.
Maybe it's MITM TLS, maybe they blocked intermediate cert auto-loading, ..
dunno.
/Tobias
> -----Ursprüngliche Nachricht-----
> Von: twisted-python-boun...@twistedmatrix.com [mailto:twisted-python-
> boun...@twistedmatrix.com] Im Auftrag von Hynek Schlawack
> Gesendet: Donnerstag, 24. Oktober 2013 09:16
> An: Twisted general discussion
> Betreff: Re: [Twisted-Python] "mind" introduced strangely in pb howto
>
> Am 24.10.2013 um 09:02 schrieb Tobias Oberstein
> <tobias.oberst...@tavendo.de>:
>
> >> I just tried to register so I could do that. When I clicked on the
> >> register button after filling out the username/password fields my
> >> browser (firefox) brought up a notice that the security certificate
> >> is invalid because of unavailable issuance chain information. Knowing
> >> absolutely nothing about internet security issues I thought I should
> >> mention this and ask if this is expected behavior.
> >
> > I wouldn't call that expected behavior, since
> >
> > a) the certificate used on twistedmatrix.com contains (as it should)
> > intermediate CA certs also (see attachments)
>
> I'm not sure what you mean with "contains"? It certainly *relies* on one but
> unfortunately doesn't send it along (yet):
>
> $ openssl s_client -host www.twistedmatrix.com -port 443
> CONNECTED(00000003)
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmas...@twistedmatrix.com
> verify error:num=20:unable to get local issuer certificate verify return:1
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmas...@twistedmatrix.com
> verify error:num=27:certificate not trusted verify return:1
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmas...@twistedmatrix.com
> verify error:num=21:unable to verify the first certificate verify return:1
> ---
> Certificate chain
> 0
> s:/description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/email
> Address=postmas...@twistedmatrix.com
> i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
