search

diafygi / acme-nosudo

Free HTTPS certificates without having to trust the letsencrypt cli with sudo/root
GNU Affero General Public License v3.0
1.19k stars 128 forks source link

Steps produce two certificates ? #83

Closed Manishearth closed 7 years ago

Manishearth commented 7 years ago

We're getting errors with https://joshmatthews.net/ (which was set up with this script) when trying to fetch it via python urllib2 or requests on a server. (The server is an up-to-date Ubuntu 14.04, so it probably lacks some certificates)

The same error happens with https://letsencrypt.daylightpirates.org/, the example site.

With urllib2, we get an HTTP 403 error. With requests, we get a clearer error message:

>>> requests.get("https://letsencrypt.daylightpirates.org/")
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:132: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecurePlatformWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: hostname 'letsencrypt.daylightpirates.org' doesn't match either of 'ballotapi.com', 'www.ballotapi.com'

Looking at https://www.ssllabs.com/ssltest/analyze.html?d=letsencrypt.daylightpirates.org (or https://www.ssllabs.com/ssltest/analyze.html?d=joshmatthews.net), it seems that there is a second certificate (see certificate #2), which is invalid. I'm not sure what's going on here, perhaps these steps don't wipe the older certificate? Something seems missing.

diafygi commented 7 years ago

This likely because you're using python <2.7.9, which doesn't have native SNI support[1]: http://docs.python-requests.org/en/master/community/faq/#what-are-hostname-doesn-t-match-errors

Try installing these: http://stackoverflow.com/a/18579484

Manishearth commented 7 years ago

Yeah, I'd seen that error and was looking into upgrading python on our servers. I was surprised that the older certificate was still showing, though, and thought that it was a fault with this script -- turns out it's because there are multiple domains on the same IP, and that's normal.