I'm using an intermediate certificate to sign the client certificates,
while trying to enable client certificate validation on server side using python 3.10 with following code
ssl_context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain(certfile=settings.CERTS_TLS_SERVER_CERT,
keyfile=settings.CERTS_TLS_SERVER_KEY,
password=settings.CERTS_TLS_SERVER_CERT_PASSWORD)
ssl_context.load_verify_locations(cafile=settings.CERTS_CA_CERT)
ssl_context.verify_mode = ssl.CERT_REQUIRED
but this is throwing the following error while client connect
Error
transport: <asyncio.sslproto._SSLProtocolTransport object at 0x7f657f115fc0> │
│ Traceback (most recent call last): │
│ File "/usr/local/lib/python3.10/asyncio/selector_events.py", line 213, in _accept_connection2 │
│ await waiter │
│ File "/usr/local/lib/python3.10/asyncio/sslproto.py", line 534, in data_received │
│ ssldata, appdata = self._sslpipe.feed_ssldata(data) │
│ File "/usr/local/lib/python3.10/asyncio/sslproto.py", line 188, in feed_ssldata │
│ self._sslobj.do_handshake() │
│ File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake │
│ self._sslobj.do_handshake() │
│ ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007)
The Client context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cafile='certs/generated/ca.crt')
context.load_cert_chain(certfile="certs/generated/client.crt",
keyfile="certs/generated/client.key")
I verified
- CA cert availability in server SSL context, ca cert containing both Root CA and Intermediate CA
- Set
ssl_context.verify_flags = ssl.VERIFY_X509_PARTIAL_CHAIN
No luck
Any idea why this error happening?