I have made the changes you have suggested above. 1. I created new certificates with the server name 127.0.0.1.nip.io. Also changed the server name in the Django API to 127.0.0.1.nip.io and the API works fine. But I still get this warning ( AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name). Should I be worried about this warning? 2. The Django API work fine without --ssl-ca-certificate-file opt/app-root/ssl_certs/ca.crt but when I include the client certificate it throws the post-handshake error. Do I have to buy an SSL certificate from valid providers like AWS or Let's encrypt to make this client certificate error go away?
For your reference: *Docker build and run commands: 1. Build command*: docker build -t ssl-api . * 2. Run command*: docker run -it -p 443:443 ssl-api *Dockerfile:* FROM python:3 RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 COPY ./requirements.txt /requirements.txt RUN pip install --no-cache-dir -r /requirements.txt WORKDIR /opt/app-root COPY . /opt/app-root EXPOSE 443 CMD ["mod_wsgi-express", "start-server","--threads","20","--processes","5","--user","www-data", "--group", "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" , "--https-port" ,"443" , "--server-name" ,"127.0.0.1.nip.io", "--allow-localhost" ,"--ssl-certificate-file" ,"/opt/app-root/ssl-certs-1/server.crt", "--ssl-certificate-key-file", "/opt/app-root/ssl-certs-1/server.key"] *LOGS:* Server URL : http://127.0.0.1.nip.io:8000/ Server URL (HTTPS) : https://127.0.0.1.nip.io/ Server Root : /tmp/mod_wsgi-localhost:8000:0 Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf Error Log File : /dev/stderr (warn) Startup Log File : /dev/stderr Request Capacity : 100 (5 processes * 20 threads) Request Timeout : 60 (seconds) Startup Timeout : 15 (seconds) Queue Backlog : 100 (connections) Queue Timeout : 45 (seconds) Server Capacity : 170 (event/worker), 160 (prefork) Server Backlog : 500 (connections) Locale Setting : en_US.UTF-8 [Thu Apr 01 16:08:00.161434 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Thu Apr 01 16:08:00.165326 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Thu Apr 01 16:08:00.165890 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name [Thu Apr 01 16:08:00.167043 2021] [mpm_event:notice] [pid 1:tid 140009763792000] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 OpenSSL/1.1.1d configured -- resuming normal operations [Thu Apr 01 16:08:00.167074 2021] [core:notice] [pid 1:tid 140009763792000] AH00094: Command line: 'apache2 (mod_wsgi-express) -f /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND' On Thursday, April 1, 2021 at 4:11:53 AM UTC+5:30 Graham Dumpleton wrote: > For a start, the value given to --server-name should be a fully qualified > host name matching what you used to create the certificate. What you are > using is invalid and the source of the error: > > [Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > > Your locale setting is also wrong. You have: > > LC_ALL=en_US.UTF- > > and are missing the '8' at the end. This is the source of the error: > > /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) > > The main problem though is that the specific recipe you are following is > for when you want to require a client certificate be used with a site. It > is not correct way of doing things for a general public web site. > > Were you specifically want users access it to have to have the client > certificate. Right now you aren't using the client side certificate and why > you probably get the errors. > > Graham > > On 1 Apr 2021, at 4:36 am, Kaushik Ramnath Ganesan <[email protected]> > wrote: > > I have a problem using SSL certificate in a dockerized Django application. > I used the commands given by Graham to create SSL certificates in > https://gist.github.com/GrahamDumpleton/b79d336569054882679e. I copied > these certificates and pasted those files in a folder called "ssl_certs". > If I run the docker now using the below commands I get " Post-Handshake > Authentication" error when I call https://localhost:8443/. > > 1. How to resolve this error? > 2. Is there any way to create an SSL certificate using Dockerfile commands > in Dockerfile and make Django use these certificates after I build and run > the docker container? > > > *Docker build and run commands: 1. Build command*: docker build -t > ssl-api . > * 2. Run command*: docker run -it -p 8443:8443 ssl-api > > *Dockerfile:* > FROM python:3 > > RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen > ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF- > COPY ./requirements.txt /requirements.txt > RUN pip install --no-cache-dir -r /requirements.txt > WORKDIR /opt/app-root > COPY . /opt/app-root > > EXPOSE 8443 > > CMD ["mod_wsgi-express", > "start-server","--threads","20","--processes","5","--user","www-data", > "--group", > "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" > , "--https-port" ,"8443" ,"--https-only" ,"--server-name" ,"Kaushik", > "--allow-localhost" ,"--ssl-certificate-file" > ,"/opt/app-root/ssl_certs/server.crt", "--ssl-certificate-key-file", > "/opt/app-root/ssl_certs/server.key" ,"--ssl-ca-certificate-file" > ,"/opt/app-root/ssl_certs/ca.crt"] > > *LOGS:* > Server URL : http://Kaushik:8000/ <http://kaushik:8000/> > Server URL (HTTPS) : https://Kaushik:8443/ <https://kaushik:8443/> > Server Root : /tmp/mod_wsgi-localhost:8000:0 > Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf > Error Log File : /dev/stderr (warn) > Startup Log File : /dev/stderr > Request Capacity : 100 (5 processes * 20 threads) > Request Timeout : 60 (seconds) > Startup Timeout : 15 (seconds) > Queue Backlog : 100 (connections) > Queue Timeout : 45 (seconds) > Server Capacity : 170 (event/worker), 160 (prefork) > Server Backlog : 500 (connections) > Locale Setting : en_US.UTF-8 > /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) > [Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > [Wed Mar 31 17:32:28.663192 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] > [Wed Mar 31 17:32:28.664060 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > [Wed Mar 31 17:32:28.665207 2021] [mpm_event:notice] [pid 1:tid > 139700681196672] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 > OpenSSL/1.1.1d configured -- resuming normal ope > rations > [Wed Mar 31 17:32:28.665241 2021] [core:notice] [pid 1:tid > 139700681196672] AH00094: Command line: 'apache2 (mod_wsgi-express) -f > /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr > -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_VERIFY_CLIENT > -D MOD_WSGI_HTTPS_ONLY -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS > -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE - > D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D > MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND' > [Wed Mar 31 17:32:33.221933 2021] [ssl:error] [pid 15:tid 139700669671168] > [client 172.17.0.1:39750] AH10129: verify client post handshake > [Wed Mar 31 17:32:33.221977 2021] [ssl:error] [pid 15:tid 139700669671168] > [client 172.17.0.1:39750] AH10158: cannot perform post-handshake > authentication > [Wed Mar 31 17:32:33.222028 2021] [ssl:error] [pid 15:tid 139700669671168] > SSL Library Error: error:14268117:SSL > routines:SSL_verify_client_post_handshake:extension not received > [Wed Mar 31 17:32:33.383493 2021] [ssl:error] [pid 15:tid 139700669138688] > [client 172.17.0.1:39762] AH10129: verify client post handshake, referer: > https://localhost:8443/ > [Wed Mar 31 17:32:33.383556 2021] [ssl:error] [pid 15:tid 139700669138688] > [client 172.17.0.1:39762] AH10158: cannot perform post-handshake > authentication, referer: https://localhost:8443 > / > [Wed Mar 31 17:32:33.383606 2021] [ssl:error] [pid 15:tid 139700669138688] > SSL Library Error: error:14268117:SSL > routines:SSL_verify_client_post_handshake:extension not received > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com > > <https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/0167bd40-5bc0-45d2-ae52-fbb32d97ef94n%40googlegroups.com.
