Page 1 of 1

Deluge Web TLS not working with certificate chains

Posted: Wed Jun 14, 2017 9:29 pm
by Jay-C
Hi!

I'm going to try to keep this short. I'm trying to add a certificate chain to the deluge web UI, the subject certificate concatenated with a intermediate certificate, as is standard. I've successfully verified the separate files using the ``openssl verify" utility.

Code: Select all

$ openssl verify -verbose -CAfile root.cert.pem -untrusted intermediate.cert.pem deluge.cert.pem
deluge.cert.pem: OK
However, Firefox gives me an SEC_ERROR_UNKNOWN_ISSUER error. To look at what the server sends my I use:

Code: Select all

openssl s_client -CAfile root.cert.pem -connect localhost:8112 -showcerts
Indeed, the output shows the server does not send the intermediate certificate. It seems the deluge web server only sends the first certificate, and skips the rest of the chain. As this has worked correctly in the past, I looked at the git history and the culprit seems to be commit c1902e43, which replaces the code for loading the certificate, specifically

Code: Select all

certificate = Certificate.loadPEM(cert.read()).original
instead of

Code: Select all

ctx.use_certificate_chain_file(configmanager.get_config_dir(delugeweb.cert))
As far as I can tell this is an incorrect way to read chain files. Look at the example at https://pem.readthedocs.io/en/stable/twisted.html for guidance.

I would fix this myself but I'm sure you that have greater experience with the code can do it much quicker and efficiently.

Re: Deluge Web TLS not working with certificate chains

Posted: Thu Jun 15, 2017 9:55 am
by Cas