For a start, the value given to --server-name should be a fully qualified host name matching what you used to create the certificate. What you are using is invalid and the source of the error:
[Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name Your locale setting is also wrong. You have: LC_ALL=en_US.UTF- and are missing the '8' at the end. This is the source of the error: /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) The main problem though is that the specific recipe you are following is for when you want to require a client certificate be used with a site. It is not correct way of doing things for a general public web site. Were you specifically want users access it to have to have the client certificate. Right now you aren't using the client side certificate and why you probably get the errors. Graham > On 1 Apr 2021, at 4:36 am, Kaushik Ramnath Ganesan <[email protected]> > wrote: > > I have a problem using SSL certificate in a dockerized Django application. I > used the commands given by Graham to create SSL certificates in > https://gist.github.com/GrahamDumpleton/b79d336569054882679e. I copied these > certificates and pasted those files in a folder called "ssl_certs". If I run > the docker now using the below commands I get " Post-Handshake > Authentication" error when I call https://localhost:8443/. > > 1. How to resolve this error? > 2. Is there any way to create an SSL certificate using Dockerfile commands in > Dockerfile and make Django use these certificates after I build and run the > docker container? > > Docker build and run commands: > 1. Build command: docker build -t ssl-api . > 2. Run command: docker run -it -p 8443:8443 ssl-api > > Dockerfile: > FROM python:3 > > RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen > ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF- > COPY ./requirements.txt /requirements.txt > RUN pip install --no-cache-dir -r /requirements.txt > WORKDIR /opt/app-root > COPY . /opt/app-root > > EXPOSE 8443 > > CMD ["mod_wsgi-express", > "start-server","--threads","20","--processes","5","--user","www-data", > "--group", > "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" > , "--https-port" ,"8443" ,"--https-only" ,"--server-name" ,"Kaushik", > "--allow-localhost" ,"--ssl-certificate-file" > ,"/opt/app-root/ssl_certs/server.crt", "--ssl-certificate-key-file", > "/opt/app-root/ssl_certs/server.key" ,"--ssl-ca-certificate-file" > ,"/opt/app-root/ssl_certs/ca.crt"] > > LOGS: > Server URL : http://Kaushik:8000/ > Server URL (HTTPS) : https://Kaushik:8443/ > Server Root : /tmp/mod_wsgi-localhost:8000:0 > Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf > Error Log File : /dev/stderr (warn) > Startup Log File : /dev/stderr > Request Capacity : 100 (5 processes * 20 threads) > Request Timeout : 60 (seconds) > Startup Timeout : 15 (seconds) > Queue Backlog : 100 (connections) > Queue Timeout : 45 (seconds) > Server Capacity : 170 (event/worker), 160 (prefork) > Server Backlog : 500 (connections) > Locale Setting : en_US.UTF-8 > /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) > [Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > [Wed Mar 31 17:32:28.663192 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] > [Wed Mar 31 17:32:28.664060 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > [Wed Mar 31 17:32:28.665207 2021] [mpm_event:notice] [pid 1:tid > 139700681196672] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 > OpenSSL/1.1.1d configured -- resuming normal ope > rations > [Wed Mar 31 17:32:28.665241 2021] [core:notice] [pid 1:tid 139700681196672] > AH00094: Command line: 'apache2 (mod_wsgi-express) -f > /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr > -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_VERIFY_CLIENT -D > MOD_WSGI_HTTPS_ONLY -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS -D > MOD_WSGI_MPM_ENABLE_EVENT_MODULE - > D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D > MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND' > [Wed Mar 31 17:32:33.221933 2021] [ssl:error] [pid 15:tid 139700669671168] > [client 172.17.0.1:39750] AH10129: verify client post handshake > [Wed Mar 31 17:32:33.221977 2021] [ssl:error] [pid 15:tid 139700669671168] > [client 172.17.0.1:39750] AH10158: cannot perform post-handshake > authentication > [Wed Mar 31 17:32:33.222028 2021] [ssl:error] [pid 15:tid 139700669671168] > SSL Library Error: error:14268117:SSL > routines:SSL_verify_client_post_handshake:extension not received > [Wed Mar 31 17:32:33.383493 2021] [ssl:error] [pid 15:tid 139700669138688] > [client 172.17.0.1:39762] AH10129: verify client post handshake, referer: > https://localhost:8443/ > [Wed Mar 31 17:32:33.383556 2021] [ssl:error] [pid 15:tid 139700669138688] > [client 172.17.0.1:39762] AH10158: cannot perform post-handshake > authentication, referer: https://localhost:8443 > / > [Wed Mar 31 17:32:33.383606 2021] [ssl:error] [pid 15:tid 139700669138688] > SSL Library Error: error:14268117:SSL > routines:SSL_verify_client_post_handshake:extension not received > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com > > <https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/D01542FA-84BA-4BB4-8956-7748569E1BF6%40gmail.com.
