tornado TLSV1_ALERT_UNKNOWN_CA

我在自己的 NB 裡同時架了 2個 web server, 使用 2個自己sign 的 ssl 憑證。使用行動裝置(iPad)先存取第1台 用 TimCat 架的 web server之後，再連到同一個 ip address 下的 tornado web server 會顯示錯誤訊息：

[W 170906 08:19:15 iostream:1327] SSL Error on 9 ('192.168.1.55', 62014): [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:661)

而且是無窮迴圈， client side 會一直 retry…，大約每1秒可以呼叫到 8個 request。

解法當然就是 web server 分在不同台就好了…

---

我是透過下面的指令來建立自有憑證：

I created SSL certificates using these steps:

Create the CA private key:

openssl genrsa -des3 -out servercakey.pem 

Create the CA public certificate (When you create a certificate, there must be one unique name (a Distinguished Name (DN)), which is different for each certificate that you create):

openssl req -new -x509 -key servercakey.pem -out root.crt 

Create the server’s private key file:

openssl genrsa -out server.key 

Create the server certificate request:

openssl req -new -out reqout.txt -key server.key 

Use the CA private key file to sign the server’s certificate:

openssl x509 -req -in reqout.txt -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey servercakey.pem -out server.crt 

Create the client’s private key file:

openssl genrsa -out client.key 

Create the client certificate request:

openssl req -new -out reqout.txt -key client.key 

Use the CA private key file to sign the client’s certificate:

openssl x509 -req -in reqout.txt -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey servercakey.pem -out client.crt 

Creating pem file for Server:

cat server.crt root.crt > server.pem

上面很多指令是多餘的，產生的檔案也都沒有使用到，tornado 只使用到 2個：

 server_https = HTTPServer(self.app, xheaders=True, ssl_options = {
 "certfile": os.path.join(options.certificate_path, "server.crt"),
 "keyfile": os.path.join(options.certificate_path, "server.key"),
 })