CentOS Question posted in
The official documentation can be found here.

python webserver https certificate – CentOS

I want to run an Python webserver on linux (RedHat or CentOS) using https. I got an (internal) certificate, and obtained the requisite intermediate and root certificates. I cat’d them all into a single file, server.pem.

Here’s my code:

    httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
    cf = '/home/degenaro/workspace/certs/server.pem'
    httpd.socket = ssl.wrap_socket (httpd.socket, certfile=cf, server_side=True)
    httpd.serve_forever()

Here’s the result:

Traceback (most recent call last):

  File "/home/degenaro/workspace/web.py", line 66, in <module>
    main()
  File "/home/degenaro/workspace/web.py", line 56, in main
    httpd.socket = ssl.wrap_socket (httpd.socket, certfile=cf, server_side=True)
  File "/usr/lib64/python2.7/ssl.py", line 934, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 547, in __init__
    self._context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [PEM] ASN1 lib (_ssl.c:2574)

What me do wrong?

Tags:

2

Answers


  1. 0

    This error is saying is that SSL_CTX_check_private_key failed; thus, the private key is not correct.

    Make sure that:

    • your keys are correct;
    • permission of private key is 600;
    • your port opened and cert server is available
    Login or Signup to reply.
  2. 0

    first of all it would help if you could provide the release versions of the python you are using as well as the OpenSSL library it uses.

    It seems that the error is in the format of the .pem file. does it have the following structure? (as described here)

    -----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA's issuer)...
-----END CERTIFICATE-----

    also from the comments I gather that the server-certificate is invalid, perhaps due to wrong encoding. please try:

    openssl x509 -inform DER -in [current_server_cert.pem] -out [new_server_cert.pem]
    [as shown here]2

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search