Using certificates with CherryPy 3.2?


#1

Hello,

I’ve created a certificate and manage to serve https from nginx using it, but when I try to use the certificate with CherryPy 3.2.2-4ubuntu5 (Ubuntu 14.04 dpkg), I get:

[02/Jan/2016:00:15:48] ENGINE Error in HTTPServer.tick Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/wsgiserver2.py", line 1837, in start self.tick() File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/wsgiserver2.py", line 1902, in tick s, ssl_env = self.ssl_adapter.wrap(s) File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/ssl_builtin.py", line 52, in wrap keyfile=self.private_key, ssl_version=ssl.PROTOCOL_SSLv23) File "/usr/lib/python2.7/ssl.py", line 487, in wrap_socket ciphers=ciphers) File "/usr/lib/python2.7/ssl.py", line 241, in __init__ ciphers) SSLError: [Errno 336265225] _ssl.c:355: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

The configuration is done with:
cherrypy.server.ssl_module = 'builtin' cherrypy.server.ssl_certificate = '/etc/letsencrypt/live/www.example.com/cert.pem' cherrypy.server.ssl_certificate_key = '/etc/letsencrypt/live/www.example.com/privkey.pem' cherrypy.server.ssl_certificate_chain = '/etc/letsencrypt/live/www.example.com/chain.pem'

(www.example.com of course is a placeholder for my real server name).

Before that I tried to use fullcert.pem and without the separate chain.pem but got the same error.

Reference:
CherryPy SSL: http://docs.cherrypy.org/en/latest/deploy.html#ssl

What am I doing wrong?


#2

I don’t use CherryPy, looking at the documentation though it says to use;

cherrypy.server.ssl_certificate = "cert.pem"
cherrypy.server.ssl_private_key = "privkey.pem"
cherrypy.server.ssl_certificate_chain = “certchain.perm”

in your example above you are using;

cherrypy.server.ssl_certificate = '/etc/letsencrypt/live/www.example.com/cert.pem’
cherrypy.server.ssl_certificate_key = '/etc/letsencrypt/live/www.example.com/privkey.pem’
cherrypy.server.ssl_certificate_chain = ‘/etc/letsencrypt/live/www.example.com/chain.pem’

Note the difference between “ssl_private_key” and “ssl_certificate_key”


#3

Thanks. That’s a good catch of my PEBCAK.
I get an error after fixing it, but I think it’s more of a CherryPy/Python thing rather than specific to the Let’s Encrypt certificate:
[02/Jan/2016:10:44:06] ENGINE Serving on 0.0.0.0:443 [02/Jan/2016:10:44:06] ENGINE Bus STARTED [02/Jan/2016:10:44:06] ENGINE Error in HTTPServer.tick Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/wsgiserver2.py", line 1837, in start self.tick() File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/wsgiserver2.py", line 1902, in tick s, ssl_env = self.ssl_adapter.wrap(s) File "/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/ssl_builtin.py", line 52, in wrap keyfile=self.private_key, ssl_version=ssl.PROTOCOL_SSLv23) File "/usr/lib/python2.7/ssl.py", line 487, in wrap_socket ciphers=ciphers) File "/usr/lib/python2.7/ssl.py", line 243, in __init__ self.do_handshake() File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake self._sslobj.do_handshake() SSLError: [Errno 2] _ssl.c:510: The operation did not complete (read)

So I’ll take this question somewhere else.

One thing which can be concluded, though, is that CherryPy’s builtin OpenSSL support doesn’t like the combined fullcert.pem file and has to be configured with the separate chain.pem.


#4

Update - following the tutorial at https://goo.gl/5doxOj, I installed CherryPy 4.0.0 in a Virtual Env and now it works smoothly.