> On 2 Apr 2021, at 3:16 am, Kaushik Ramnath Ganesan <[email protected]> > wrote: > > I have made the changes you have suggested above. > > 1. I created new certificates with the server name 127.0.0.1.nip.io > <http://nip.io/>. Also changed the server name in the Django API to > 127.0.0.1.nip.io <http://nip.io/> and the API works fine. But I still get > this warning ( AH01909: localhost:8443:0 server certificate does NOT include > an ID which matches the server name). Should I be worried about this warning?
It is hard to say as you don't show how you generated the certificate. It is unclear if you are still using a method which generates a client certificate as part of the requirement when you shouldn't. That gist you linked isn't how you should be generating it. > 2. The Django API work fine without --ssl-ca-certificate-file > opt/app-root/ssl_certs/ca.crt but when I include the client certificate it > throws the post-handshake error. Do I have to buy an SSL certificate from > valid providers like AWS or Let's encrypt to make this client certificate > error go away? You definitely don't usually want to be requiring a client certificate. The only issue with generating a certificate yourself is that it will be a self signed certificate, in which case people will have to indicate they trust your certificate, or you need to provide them with a certificate authority file for the browser to trust. So self signed certificates can work, but for public sites these days better off using lets encrypt to generate certificates. > For your reference: > > Docker build and run commands: > 1. Build command: docker build -t ssl-api . > 2. Run command: docker run -it -p 443:443 ssl-api > > Dockerfile: > > FROM python:3 > > RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen > ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 > COPY ./requirements.txt /requirements.txt > RUN pip install --no-cache-dir -r /requirements.txt > WORKDIR /opt/app-root > COPY . /opt/app-root > > EXPOSE 443 > > CMD ["mod_wsgi-express", > "start-server","--threads","20","--processes","5","--user","www-data", > "--group", > "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" > , "--https-port" ,"443" , "--server-name" ,"127.0.0.1.nip.io > <http://nip.io/>", "--allow-localhost" ,"--ssl-certificate-file" > ,"/opt/app-root/ssl-certs-1/server.crt", "--ssl-certificate-key-file", > "/opt/app-root/ssl-certs-1/server.key"] > > LOGS: > Server URL : http://127.0.0.1.nip.io:8000/ > <http://127.0.0.1.nip.io:8000/> > Server URL (HTTPS) : https://127.0.0.1.nip.io/ <https://127.0.0.1.nip.io/> > Server Root : /tmp/mod_wsgi-localhost:8000:0 > Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf > Error Log File : /dev/stderr (warn) > Startup Log File : /dev/stderr > Request Capacity : 100 (5 processes * 20 threads) > Request Timeout : 60 (seconds) > Startup Timeout : 15 (seconds) > Queue Backlog : 100 (connections) > Queue Timeout : 45 (seconds) > Server Capacity : 170 (event/worker), 160 (prefork) > Server Backlog : 500 (connections) > Locale Setting : en_US.UTF-8 > [Thu Apr 01 16:08:00.161434 2021] [ssl:warn] [pid 1:tid 140009763792000] > AH01909: localhost:443:0 server certificate does NOT include an ID which > matches the server name > [Thu Apr 01 16:08:00.165326 2021] [ssl:warn] [pid 1:tid 140009763792000] > AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] > [Thu Apr 01 16:08:00.165890 2021] [ssl:warn] [pid 1:tid 140009763792000] > AH01909: localhost:443:0 server certificate does NOT include an ID which > matches the server name > [Thu Apr 01 16:08:00.167043 2021] [mpm_event:notice] [pid 1:tid > 140009763792000] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 > OpenSSL/1.1.1d configured -- resuming normal operations > [Thu Apr 01 16:08:00.167074 2021] [core:notice] [pid 1:tid 140009763792000] > AH00094: Command line: 'apache2 (mod_wsgi-express) -f > /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr -D > MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_ALLOW_LOCALHOST -D > MOD_WSGI_MULTIPROCESS -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -D > MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D > MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND' > > On Thursday, April 1, 2021 at 4:11:53 AM UTC+5:30 Graham Dumpleton wrote: > For a start, the value given to --server-name should be a fully qualified > host name matching what you used to create the certificate. What you are > using is invalid and the source of the error: > > [Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] > AH01909: localhost:8443:0 server certificate does NOT include an ID which > matches the server name > > Your locale setting is also wrong. You have: > > LC_ALL=en_US.UTF- > > and are missing the '8' at the end. This is the source of the error: > > /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) > > The main problem though is that the specific recipe you are following is for > when you want to require a client certificate be used with a site. It is not > correct way of doing things for a general public web site. > > Were you specifically want users access it to have to have the client > certificate. Right now you aren't using the client side certificate and why > you probably get the errors. > > Graham > > >> On 1 Apr 2021, at 4:36 am, Kaushik Ramnath Ganesan <[email protected] >> <applewebdata://7EAECA21-FE7F-42F2-A74C-97455A711942>> wrote: >> > >> I have a problem using SSL certificate in a dockerized Django application. I >> used the commands given by Graham to create SSL certificates in >> https://gist.github.com/GrahamDumpleton/b79d336569054882679e >> <https://gist.github.com/GrahamDumpleton/b79d336569054882679e>. I copied >> these certificates and pasted those files in a folder called "ssl_certs". If >> I run the docker now using the below commands I get " Post-Handshake >> Authentication" error when I call https://localhost:8443/ >> <https://localhost:8443/>. >> >> 1. How to resolve this error? >> 2. Is there any way to create an SSL certificate using Dockerfile commands >> in Dockerfile and make Django use these certificates after I build and run >> the docker container? >> >> Docker build and run commands: >> 1. Build command: docker build -t ssl-api . >> 2. Run command: docker run -it -p 8443:8443 ssl-api >> >> Dockerfile: >> FROM python:3 >> >> RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen >> ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF- >> COPY ./requirements.txt /requirements.txt >> RUN pip install --no-cache-dir -r /requirements.txt >> WORKDIR /opt/app-root >> COPY . /opt/app-root >> >> EXPOSE 8443 >> >> CMD ["mod_wsgi-express", >> "start-server","--threads","20","--processes","5","--user","www-data", >> "--group", >> "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" >> , "--https-port" ,"8443" ,"--https-only" ,"--server-name" ,"Kaushik", >> "--allow-localhost" ,"--ssl-certificate-file" >> ,"/opt/app-root/ssl_certs/server.crt", "--ssl-certificate-key-file", >> "/opt/app-root/ssl_certs/server.key" ,"--ssl-ca-certificate-file" >> ,"/opt/app-root/ssl_certs/ca.crt"] >> >> LOGS: >> Server URL : http://Kaushik:8000/ <http://kaushik:8000/> >> Server URL (HTTPS) : https://Kaushik:8443/ <https://kaushik:8443/> >> Server Root : /tmp/mod_wsgi-localhost:8000:0 >> Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf >> Error Log File : /dev/stderr (warn) >> Startup Log File : /dev/stderr >> Request Capacity : 100 (5 processes * 20 threads) >> Request Timeout : 60 (seconds) >> Startup Timeout : 15 (seconds) >> Queue Backlog : 100 (connections) >> Queue Timeout : 45 (seconds) >> Server Capacity : 170 (event/worker), 160 (prefork) >> Server Backlog : 500 (connections) >> Locale Setting : en_US.UTF-8 >> /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-) >> [Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] >> AH01909: localhost:8443:0 server certificate does NOT include an ID which >> matches the server name >> [Wed Mar 31 17:32:28.663192 2021] [ssl:warn] [pid 1:tid 139700681196672] >> AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] >> [Wed Mar 31 17:32:28.664060 2021] [ssl:warn] [pid 1:tid 139700681196672] >> AH01909: localhost:8443:0 server certificate does NOT include an ID which >> matches the server name >> [Wed Mar 31 17:32:28.665207 2021] [mpm_event:notice] [pid 1:tid >> 139700681196672] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 >> OpenSSL/1.1.1d configured -- resuming normal ope >> rations >> [Wed Mar 31 17:32:28.665241 2021] [core:notice] [pid 1:tid 139700681196672] >> AH00094: Command line: 'apache2 (mod_wsgi-express) -f >> /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr >> -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_VERIFY_CLIENT -D >> MOD_WSGI_HTTPS_ONLY -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS -D >> MOD_WSGI_MPM_ENABLE_EVENT_MODULE - >> D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D >> MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND' >> [Wed Mar 31 17:32:33.221933 2021] [ssl:error] [pid 15:tid 139700669671168] >> [client 172.17.0.1:39750 <http://172.17.0.1:39750/>] AH10129: verify client >> post handshake >> [Wed Mar 31 17:32:33.221977 2021] [ssl:error] [pid 15:tid 139700669671168] >> [client 172.17.0.1:39750 <http://172.17.0.1:39750/>] AH10158: cannot perform >> post-handshake authentication >> [Wed Mar 31 17:32:33.222028 2021] [ssl:error] [pid 15:tid 139700669671168] >> SSL Library Error: error:14268117:SSL >> routines:SSL_verify_client_post_handshake:extension not received >> [Wed Mar 31 17:32:33.383493 2021] [ssl:error] [pid 15:tid 139700669138688] >> [client 172.17.0.1:39762 <http://172.17.0.1:39762/>] AH10129: verify client >> post handshake, referer: https://localhost:8443/ <https://localhost:8443/> >> [Wed Mar 31 17:32:33.383556 2021] [ssl:error] [pid 15:tid 139700669138688] >> [client 172.17.0.1:39762 <http://172.17.0.1:39762/>] AH10158: cannot perform >> post-handshake authentication, referer: https://localhost:8443 >> <https://localhost:8443/> >> / >> [Wed Mar 31 17:32:33.383606 2021] [ssl:error] [pid 15:tid 139700669138688] >> SSL Library Error: error:14268117:SSL >> routines:SSL_verify_client_post_handshake:extension not received >> > >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <applewebdata://7EAECA21-FE7F-42F2-A74C-97455A711942>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/modwsgi/0167bd40-5bc0-45d2-ae52-fbb32d97ef94n%40googlegroups.com > > <https://groups.google.com/d/msgid/modwsgi/0167bd40-5bc0-45d2-ae52-fbb32d97ef94n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/6DE5E977-A1F3-4456-9CB5-8A51CC587AFF%40gmail.com.
