[Twisted-Python] twistedmatrix.com TLS certificate

Discussion:

Tristan Seligmann

2017-03-06 07:22:04 UTC

twistedmatrix.com's current certificate is issued by StartCom Certification
Authority; for certificates issued by this CA prior to 2016-09-21, the
domain must be on a Chrome whitelist for it to be accepted. As of Chrome
58.0.3026.3 (canary/dev channel only, currently, but eventually this will
presumably be in a release version) twistedmatrix.com is no longer[1] on
the whitelist, which means that twistedmatrix.com will issue a certificate
error. Can we switch to another CA? (Let's Encrypt, for example; I hear
somebody wrote a Twisted library for using that)

I'm sending this to the general list in case anyone else has been
scratching their head about why they're getting cert warnings.

[1]
https://chromium.googlesource.com/chromium/src/+/6fc397860ccafa55086456a4d1e6d713c418b41f%5E%21/

Cory Benfield

2017-03-06 08:16:35 UTC

Permalink

twistedmatrix.com <http://twistedmatrix.com/>'s current certificate is issued by StartCom Certification Authority; for certificates issued by this CA prior to 2016-09-21, the domain must be on a Chrome whitelist for it to be accepted. As of Chrome 58.0.3026.3 (canary/dev channel only, currently, but eventually this will presumably be in a release version) twistedmatrix.com <http://twistedmatrix.com/> is no longer[1] on the whitelist, which means that twistedmatrix.com <http://twistedmatrix.com/> will issue a certificate error. Can we switch to another CA? (Let's Encrypt, for example; I hear somebody wrote a Twisted library for using that)
I'm sending this to the general list in case anyone else has been scratching their head about why they're getting cert warnings.

This is an extremely good idea.

Cory

Glyph Lefkowitz

2017-03-07 03:19:22 UTC

Permalink

Post by Cory Benfield

This is an extremely good idea.

Yes please.

This is the rare ops task that will actually be quite easy for someone to add in to Braid as a PR: https://github.com/twisted-infra/braid <https://github.com/twisted-infra/braid>

If you have a look at https://github.com/twisted-infra/braid/blob/master/services/t-web/twisted-web/ports <https://github.com/twisted-infra/braid/blob/master/services/t-web/twisted-web/ports> you might be able to guess how such a thing would go...

-glyph

James Broadhead

2017-03-12 15:13:01 UTC

Permalink

Just ran into this. For interested parties, Chrome 58 is due to go stable
on Apr 25th [1]

[1] https://www.chromium.org/developers/calendar

Post by Tristan Seligmann
twistedmatrix.com's current certificate is issued by StartCom
Certification Authority; for certificates issued by this CA prior to
2016-09-21, the domain must be on a Chrome whitelist for it to be accepted.
As of Chrome 58.0.3026.3 (canary/dev channel only, currently, but
eventually this will presumably be in a release version) twistedmatrix.com
is no longer[1] on the whitelist, which means that twistedmatrix.com will
issue a certificate error. Can we switch to another CA? (Let's Encrypt, for
example; I hear somebody wrote a Twisted library for using that)
I'm sending this to the general list in case anyone else has been
scratching their head about why they're getting cert warnings.
This is an extremely good idea.
Yes please.
This is the rare ops task that will actually be quite easy for someone to
add in to Braid as a PR: https://github.com/twisted-infra/braid
If you have a look at https://github.com/twisted-infra/braid/blob/master/
services/t-web/twisted-web/ports you might be able to guess how such a
thing would go...
-glyph
_______________________________________________
Twisted-Python mailing list
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python