Question 97219 in Nginx Question posted in
The official documentation can be found here.

Serving over HTTPS with Gunicorn/Flask: ERR_CERT_AUTHORITY_INVALID – Nginx

Looking for a quick way to serve an API over HTTPS for testing purposes. The API app is created using flask and being served on port 443 using gunicorn.

gunicorn --certfile=server.crt --keyfile=server.key --bind 0.0.0.0:443 wsgi:app

When my React app (served over HTTPS) sends a POST request to one of the routes via HTTPS, the browser console is showing

POST https://1.2.3.4/foo net::ERR_CERT_AUTHORITY_INVALID

My key and certs are created using

openssl genrsa -aes128 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -days 365 -key server.key -out server.csr
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Is there a solution to solve ERR_CERT_AUTHORITY_INVALID raised by the browser, without using a reverse proxy like nginx/caddy? And without each user having to manually trust the self-signed cert?

Tags:

2

Answers


  1. 0

    Your browser/computer/device need to trust the certificate presented by gunicorn…
    You should add the hostname of your PC in the certificate (Common name or Subject Alternative Name) and add the Certificate to your Trusted List of Certificates

    Login or Signup to reply.
  2. 0

    i ran into a similar problem recently on firefox creating the cert using open ssl.
    i opted for an alternative solution using mkcert

    sudo apt install libnss3-tools
sudo apt install mkcert
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
sudo cp mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
mkcert -install
mkcert test.example.com '*.test.example.com' localhost 127.0.0.1 ::1

    you’ll want to modify /etc/hosts to include test.example.com

    127.0.0.1       localhost test.example.com

    don’t forget to logout and log back in to update changes in hosts

    if firefox still complains go to settings -> privacy/security and open View Certificates.
    under the server tab, add an exception for https://test.example.com:(port #) and select Get Certificate.
    then Confirm Security Exception

    now fire up gunicorn using the pem format files generated by mkcert.
    in my case it was something like…

    gunicorn --certfile test.example.com+4.pem --keyfile test.example.com+4-key.pem

    your cert should be accepted now.

    each member of our team has to set this up locally. (specifically, we use an installer script to build the dev project, but the dev is responsible for installing the cert on the browser of their choosing.)
    for us it was a small inconvenience for the payoff.

    if this doesn’t suit your needs then unfortunately yes, you might have to opt for an alternative such as caddy or nginx to reverse-proxy your requests. but you’d still have to supply a certificate using some version of the example above or via tools like certbot ect

    i’d recommend a pre-config’d docker container, or a custom installer script if you’re working on a team based project.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search