Search code examples
pythonsslserverpemcer

ssl with self signed certificate using python


I am trying to build a simple server in python using my self signed certificate. I created .cer, .pfx, .pvk files using makecert.

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="ServerSSL.cer")

Traceback (most recent call last):
  File "ssl_server.py", line 4, in <module>
    context.load_cert_chain(certfile="ServerSSL.cer")
ssl.SSLError: [SSL] PEM lib (_ssl.c:2580)

What I did wrong? I also tried to convert my cer file to pem by changing the suffix and I got the same error.


Solution

  • When you take a look at the original source of _ssl.c:2580 you can see that SSL_CTX_use_certificate_chain_file failed. Since neither pw_info.error nor errno is set it's not easy to find the cause. The problem might be caused by the crt file. Open it in a text-editor and check if the file looks exactly as it should look like - also verify new-lines. If they don't match EXACTLY the function call will fail.

    2567:    PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
    2568:    r = SSL_CTX_use_certificate_chain_file(self->ctx, certfile_bytes);
    2569:    PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
    2570:    if (r != 1) {
    2571:        if (pw_info.error) {
    2572:            ERR_clear_error();
    2573:            /* the password callback has already set the error information */
    2574:        }
    2575:        else if (errno != 0) {
    2576:            ERR_clear_error();
    2577:            PyErr_SetFromErrno(PyExc_IOError);
    2578:        }
    2579:        else {
    2580:            _setSSLError(NULL, 0, __FILE__, __LINE__);
    2581:        }
    2582:        goto error;
    

    The documentation also says:

    The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.