0

I have a simple example of a Python (3.6) Tornado (4.5.2) server and I am attempting to add ssl certs for testing. I have determined it is finding the key and csr files. Here is what my code looks like with a stack trace following detailing the error. Has anyone run into this or solved it?

import tornado.httpserver
import tornado.ioloop
import tornado.web


class indexHandler(tornado.web.RequestHandler):

    def get(self):
        self.write("hello")


application = tornado.web.Application([
    (r'/', indexHandler),
])

if __name__ == '__main__':
    http_server = tornado.httpserver.HTTPServer(application, ssl_options={
        "certfile": "cert/ig.csr",
        "keyfile": "cert/ig.key",
    })
    http_server.listen(443)
    tornado.ioloop.IOLoop.instance().start()

Running on Python 3.6.4 and the server runs but when the page is accessed as https://localhost, it throws the following exception. What am I missing?

ERROR:asyncio:Exception in callback BaseAsyncIOLoop._handle_events(5, 1) 
handle: <Handle BaseAsyncIOLoop._handle_events(5, 1)> 

Traceback (most recent call last):   
  File "/<python path>/asyncio/events.py", line 145, in _run
    self._callback(*self._args)   
  File "/<python path>/site-packages/tornado/platform/asyncio.py", line 102, in _handle_events
    handler_func(fileobj, events)   
  File "/<python path>/site-packages/tornado/stack_context.py", line 276, in null_wrapper
    return fn(*args, **kwargs)   
  File "/<python path>/site-packages/tornado/netutil.py", line 252, in accept_handler
    callback(connection, address)   
  File "/<python path>/site-packages/tornado/tcpserver.py", line 264, in _handle_connection
    do_handshake_on_connect=False)   
  File "/<python path>/site-packages/tornado/netutil.py", line 551, in ssl_wrap_socket
    context = ssl_options_to_context(ssl_options)   
  File "/<python path>/site-packages/tornado/netutil.py", line 526, in ssl_options_to_context
    context.load_cert_chain(ssl_options['certfile'], ssl_options.get('keyfile', None)) 
    ssl.SSLError: [SSL] PEM lib (_ssl.c:3337)

In above error message, /<python path>/ is equal to:

"/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/"
xyres
  • 20,487
  • 3
  • 56
  • 85
RandallShanePhD
  • 5,406
  • 2
  • 20
  • 30
  • Is the keyfile in PEM format? It's not particularly related to Tornado as the error is raised by `ssl` library, possibly because the key is not matching the certificate or it's in a different format. Here's a a very [similar question](https://stackoverflow.com/questions/30109449/what-does-sslerror-ssl-pem-lib-ssl-c2532-mean-using-the-python-ssl-libr). – xyres Apr 09 '18 at 17:53
  • Hello xyres - the keyfile is not in PEM format (I think that is AWS). thx – RandallShanePhD Apr 09 '18 at 23:05

2 Answers2

1

Its because the signature of the you certificate and the key doesn't match.

Root
  • 955
  • 1
  • 16
  • 39
0

OK - I found it!! There are several online resources for determining if your certificate file and key match. I used THIS and they did not match. A quick call to Comodo (cert was thru Namecheap and then thru them) and they fixed it.

Lesson: Validate the key and certificate first!

RandallShanePhD
  • 5,406
  • 2
  • 20
  • 30