tornado TLSV1_ALERT_UNKNOWN_CA

我在自己的 NB 裡同時架了 2個 web server, 使用 2個自己sign 的 ssl 憑證。使用行動裝置(iPad)先存取第1台 用 TimCat 架的 web server之後,再連到同一個 ip address 下的 tornado web server 會顯示錯誤訊息:

[W 170906 08:19:15 iostream:1327] SSL Error on 9 ('192.168.1.55', 62014): [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:661)

而且是無窮迴圈, client side 會一直 retry…,大約每1秒可以呼叫到 8個 request。

解法當然就是 web server 分在不同台就好了…


我是透過下面的指令來建立自有憑證:

I created SSL certificates using these steps:

Create the CA private key:

openssl genrsa -des3 -out servercakey.pem 

Create the CA public certificate (When you create a certificate, there must be one unique name (a Distinguished Name (DN)), which is different for each certificate that you create):

openssl req -new -x509 -key servercakey.pem -out root.crt 

Create the server’s private key file:

openssl genrsa -out server.key 

Create the server certificate request:

openssl req -new -out reqout.txt -key server.key 

Use the CA private key file to sign the server’s certificate:

openssl x509 -req -in reqout.txt -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey servercakey.pem -out server.crt 

Create the client’s private key file:

openssl genrsa -out client.key 

Create the client certificate request:

openssl req -new -out reqout.txt -key client.key 

Use the CA private key file to sign the client’s certificate:

openssl x509 -req -in reqout.txt -days 3650 -sha1 -CAcreateserial -CA root.crt -CAkey servercakey.pem -out client.crt 

Creating pem file for Server:

cat server.crt root.crt > server.pem

上面很多指令是多餘的,產生的檔案也都沒有使用到,tornado 只使用到 2個:

 server_https = HTTPServer(self.app, xheaders=True, ssl_options = {
 "certfile": os.path.join(options.certificate_path, "server.crt"),
 "keyfile": os.path.join(options.certificate_path, "server.key"),
 })

 

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *