Twilio rejecting LetsEncrypt Cert with "Certificate Invalid" error 11237 using Twisted Web Server

Question

I am running python3 (version 3.6.9) Twisted (version 18.4.0) on an Ubuntu 18.04 server. This server is used for webhooks for Twilio. The webhooks work fine over http. I installed a LetsEncrypt cert, and the LetsEncrypt ssl cert works fine for serving https over a FireFox browser.

However, when I point twilio to the https version of the webhook, I get the following error in the twilio debugger console:

Error - 11237
Certificate Invalid - Could not find path to certificate

Twilio tried to validate your SSL certificate but was unable to find it in our certificate store. Possible Causes

    You are using a self signed certificate.
    The certificate authority you are using is not on our list of approved certificate authorities.
    Your certificate chain is incomplete and requires an additional download.

Possible Solutions

    Do not use a self signed certificate.
    Concatenate your certificate chain so that no additional download is required.
    Twilio uses CAs that are approved by Mozilla, you can find the full list here.
    For testing purposes you can disable SSL Certificate Validation in Console.

If I disable SSL Certificate Validation in Console as suggested by Twilio, the webhooks work. I do not want to disable SSL Certificate Validation.

Here is a self contained sample of the code I am running on the server:

import sys
from klein import Klein
from twisted.web.server import Site
from twisted.internet import reactor
from twisted.internet.endpoints import serverFromString
from twisted.python.log import startLogging
from [redacted] import get_data_folder_location

startLogging(sys.stdout)

klein_app = Klein()

path_to_letsencrypt_keys = get_data_folder_location()
#lensencrypt keys have been copied locally from /etc/letsencrypt/live/domain and chowned from root to local group:user
endpoint_description = "ssl:443:privateKey={0}/privkey.pem:certKey={0}/fullchain.pem".format(path_to_letsencrypt_keys)

klein_resource = klein_app.resource()
serverFromString(reactor, endpoint_description).listen(Site(klein_resource))
reactor.run()

Here is the log output from the self contained sample: Note: the 404 on the last line of the log is me hitting the site over ssl with FireFox, which demonstrates FireFox (and therefore Mozilla) is Ok with the letsencrypt ssl cert

2021-04-26 17:54:58+0000 [-] Log opened.
2021-04-26 17:54:58+0000 [-] Site (TLS) starting on 443
2021-04-26 17:54:58+0000 [-] Starting factory <twisted.web.server.Site object at 0x7fe3c57aa048>
2021-04-26 17:55:18+0000 [-] "redacted" - - [26/Apr/2021:17:55:18 +0000] "GET / HTTP/1.1" 404 233 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0"

And finally, here are 2 screen shots of the Qualys SSL Report

My question: How can I get Twilio to accept my LetsEncrypt cert?

Answer 1

It looks like Twisted has problems loading the fullchain.pem.

You'll need to manually load the chain as described here.

from OpenSSL import crypto

from twisted.internet import ssl

privkey=open('{0}/privkey.pem'.format(path_to_letsencrypt_keys), 'rt').read()
certif=open('{0}/cert.pem'.format(path_to_letsencrypt_keys), 'rt').read()
chain=open('{0}/chain.pem'.format(path_to_letsencrypt_keys), 'rt').read()

privkeypyssl=crypto.load_privatekey(crypto.FILETYPE_PEM, privkey)
certifpyssl=crypto.load_certificate(crypto.FILETYPE_PEM, certif)
chainpyssl=[crypto.load_certificate(crypto.FILETYPE_PEM, chain)]
contextFactory=ssl.CertificateOptions(privateKey=privkeypyssl, certificate=certifpyssl, extraCertChain=chainpyssl)