id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 3064,Deluge Web TLS not working with certificate chains,Jay-C,,"Hi! I'm going to try to keep this short. I'm trying to add a certificate chain to the deluge web UI, the subject certificate concatenated with a intermediate certificate, as is standard. I've successfully verified the separate files using the ``openssl verify"" utility. {{{ $ openssl verify -verbose -CAfile root.cert.pem -untrusted intermediate.cert.pem deluge.cert.pem deluge.cert.pem: OK }}} However, Firefox gives me an SEC_ERROR_UNKNOWN_ISSUER error. To look at what the server sends my I use: {{{ openssl s_client -CAfile root.cert.pem -connect localhost:8112 -showcerts }}} Indeed, the output shows the server does not send the intermediate certificate. It seems the deluge web server only sends the first certificate, and skips the rest of the chain. As this has worked correctly in the past, I looked at the git history and the culprit seems to be commit c1902e43, which replaces the code for loading the certificate, specifically {{{ certificate = Certificate.loadPEM(cert.read()).original[/code] instead of [code]ctx.use_certificate_chain_file(configmanager.get_config_dir(delugeweb.cert)) }}} As far as I can tell this is an incorrect way to read chain files. Look at the example at https://pem.readthedocs.io/en/stable/twisted.html for guidance. I would fix this myself but I'm sure you that have greater experience with the code can do it much quicker and efficiently.",bug,closed,major,Future,Web UI,1.3.15,Fixed,,