1

I am trying to get my Flask Peewee app to work over SSL I purchased an SSL cert and proved it was good by installing it under Apache.

I copied the code from the docs as follows:

from OpenSSL import SSL
context = SSL.Context(SSL.SSLv3_METHOD)
context.use_privatekey_file('/etc/ssl/ssl.key/private.key')
context.use_certificate_file('/etc/ssl/ssl.crt/secure_enclude_ie.crt')
app.run(host='0.0.0.0',port=5001,debug=True,ssl_context=context)

When I run the app and check the response to a REST request, it looks fine in Firefox, but when I test it using the SSL tester at Digicert.com, it says the SSL cert is untrusted because it is not signed by a trusted authority.

Trying this in Salesforce (which is the point of the excercise), gives me a similar result. I am assuming that I need some way to tell Flask where the root certs are on my server. Any ideas?

Eamon
  • 157
  • 1
  • 10
  • 1
    I suspect that you need to include (parts of) the certificate chain as a PEM file using `use_certificate_chain_file(file)`. I sadly don't have a chance to test, but concatenating all intermediate cert PEM files (should be available from where you bought the cert) and passing the file to that function should set things up. – Joachim Isaksson Aug 02 '13 at 12:46
  • the seller gave me two .crt files - for the intermediate and root certs. I combined these into a PEM file using: cat AddTrustExternalCARoot.crt COMODOSSLCA.crt > enclude.pem – Eamon Aug 02 '13 at 13:08
  • but I get an error: OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')] Is there more to creating a PEM file? – Eamon Aug 02 '13 at 13:10
  • There _may_ be, take a look [here](http://stackoverflow.com/a/991772/477878). – Joachim Isaksson Aug 02 '13 at 13:12
  • that's what gave me the idea to use cat to produce the pem file. I tried various combinations with the .crt files into .pem files, but I still get the same error. – Eamon Aug 02 '13 at 15:34
  • Sorry, without analyzing the cert, I can't really tell much more than that :) Maybe someone with more actual Flask experience has an idea, I've only used that library with brand certs that worked out of the box. – Joachim Isaksson Aug 02 '13 at 15:36
  • Got it - I needed to put the cert I purchases, the intermediate cert and the root cert into the PEM file, as described here: https://support.commfides.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=45 thanks for the help – Eamon Aug 03 '13 at 14:34

2 Answers2

0

Joachim's comment provided the clue, but I can't see how to mark his comment as the answer.

Eamon
  • 157
  • 1
  • 10
0

I suspect that you need to include (parts of) the certificate chain as a PEM file using use_certificate_chain_file(file).

Concatenating all intermediate cert PEM files (should be available from where you bought the cert) and passing the file to that function should set things up.

Joachim Isaksson
  • 176,943
  • 25
  • 281
  • 294