Oxynum Oxynum - 3 months ago 8
Python Question

OpenSSL error - RestClient Gem - Python WSGI

Issue :



I'm struggling on a SSL issue. I'm trying to connect to a Web server for a Python application but each time I execute a request, I have this error :

RestClient::SSLCertificateNotVerified: SSL_connect returned=1 errno=0 state=error: certificate verify failed:


Details :




  • I use the RestClient gem (v1.8.0) and am trying a simple GET request

  • The python code to launch the server is as so :

    http_server = WSGIServer(('', int(port)), app, log=nylas_logger,
    handler_class=NylasWSGIHandler,

    keyfile='/vagrant/server.key', certfile='/vagrant/server.crt')

  • I use the same certificates (wildcard certificate COMODO) on another subdomain on another server (Nginx Passenger) and I can successfully launch my requests



What I tried :




  • I tried reinstalling Openssl using Brew

  • I successfully launched my request passing the verify_ssl: false flag to the restclient gem (but I want to find a solution that does not use this workaround)

  • I tried reinstalling Ruby (I'm using RVM) with the --disable-bynary flag

  • I launched
    rvm osx-ssl-certs update all



The most surprising is that I actually can perform requests on another type of server using the same certificates so it seems the issue may be with the Python web server.

Answer

It turns out the gevent.pywsgi server did not handle the SSL certificate correctly. I installed Nginx and did a reverse proxy on the localhost Python gevent.pywsgi server and did the SSL handling on the Nginx part and it worked instantly.

For information, my nginx conf :

server{
        listen 80;
        return 301 https://$host$request_uri;
}

server{
        listen 443;
        server_name subdomain.domain.com;
        ssl on;
        ssl_certificate /etc/nginx/ssl/cert.pem;
        ssl_certificate_key /etc/nginx/ssl/cert.key;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proro $scheme;

            proxy_pass http://localhost:5555;
            proxy_read_timeout 90;
            proxy_pass_request_headers on;

            proxy_redirect http://localhost:5555 https://subdomain.domain.com;
        }
}

And I restricted the python server to listen only to localhost requests.

Comments