[ckan-dev] Possible to Run paster serve Under SSL?

Nathan Hook nhook at ucar.edu
Tue Oct 10 17:40:46 UTC 2017 

Thank you for the reply Tyler.

Things are working now, but here are a couple of quick notes for others in
the future...

- pyOpenSSL must be installed:
https://pyopenssl.org/en/stable/install.html

- Trying ssl_pem=* did not work for us.  We received the following error
when starting paster serve:
OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ee key too
small')]

My guess is that ssl_pem=* is creating a 256 or (more likely) a 512 length
key and I am also guessing that the openssl libraries no longer accept keys
that short.

So, we followed the instructions from the link you sent us, but with a
couple of small tweaks:

$ openssl genrsa 2048 > host.key
$ chmod 400 host.key
$ openssl req -new -x509 -nodes -sha256 -days 3650  \
              -key host.key > host.cert
$ cat host.cert host.key > host.pem
$ chmod 400 host.pem

Our tweaks included the following:
- Changing the key size from 1024 to 2048
- Changing the expiration date from 365 days to 3650 days (10 years)
- Changing the signing of the certificate from sha1 to sha256 (which I
think is considered sha2)

Here is the link to the documentation you sent us:
https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html

Once we set the ssl_pem=/usr/lib/ckan/host.pem everything worked great.


Thank you for your time and knowledge.  Both are very much appreciated.

Regards,

Nathan


On Tue, Oct 10, 2017 at 11:07 AM, Tyler Kennedy <tk at tkte.ch> wrote:
>
> My apologies Nathan, I had a typo in my original reply. It's ssl_pem not
ssl_perm. It can either be a path to your PEM file or an asterisk, in which
case a temporary certificate will be generated.
>
> You can find the documentation on available options here,
https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
>
> On Tue, Oct 10, 2017 at 12:54 PM, Nathan Hook <nhook at ucar.edu> wrote:
>>
>> Good Day,
>>
>> We tried adding ssl_perm=* to our .ini file and we received the
following exception when running paster serve <.ini_file_location> start:
>>
>> Traceback (most recent call last):
>>   File "/usr/lib/ckan/default/bin/paster", line 11, in <module>
>>     sys.exit(run())
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
line 102, in run
>>     invoke(command, command_name, options, args[1:])
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
line 141, in invoke
>>     exit_code = runner.run(args)
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
line 236, in run
>>     result = self.command()
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
line 319, in command
>>     serve()
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
line 303, in serve
>>     server(app)
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/loadwsgi.py",
line 189, in server_wrapper
>>     **context.local_conf)
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
line 58, in fix_call
>>     reraise(*exc_info)
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/compat.py",
line 23, in reraise
>>     exec('raise t, e, tb', dict(t=t, e=e, tb=tb))
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
line 55, in fix_call
>>     val = callable(*args, **kw)
>>   File
"/usr/lib/ckan/default/lib/python2.7/site-packages/paste/httpserver.py",
line 1342, in server_runner
>>     serve(wsgi_app, **kwargs)
>> TypeError: serve() got an unexpected keyword argument 'ssl_perm'
>>
>>
>> Is there something that we are doing wrong?
>>
>> Full disclosure, we are currently running ckan 2.5.2.  Is the ssl_perm
property for newer versions of ckan only?
>>
>> Also, after performing a google search, I was unable to find any
information out about the ssl_perm property.  Is there any documentation
any where that describes how that property works?
>>
>> Thank you for your time,
>>
>> Nathan
>>
>> On Mon, Oct 9, 2017 at 10:42 AM, Tyler Kennedy <tk at tkte.ch> wrote:
>>>
>>> Hello Nathan,
>>>
>>> Yes it is. In your .ini file under [server:main] add ssl_perm=*.
>>>
>>> However, this should only be used for development. Paster is not an
acceptable server to use for production, and the * will generate a
temporary development certificate.
>>>
>>> Thank you,
>>> Tyler Kennedy
>>>
>>> On Mon, Oct 9, 2017 at 11:27 AM, Nathan Hook <nhook at ucar.edu> wrote:
>>>>
>>>> Good Day,
>>>>
>>>> Is it possible to run the paster serve command under SSL?
>>>>
>>>> Any friendly information or direction would be greatly appreciated.
>>>>
>>>> Thank you for your time,
>>>>
>>>> Nathan
>>>>
>>>>
>>>> _______________________________________________
>>>> ckan-dev mailing list
>>>> ckan-dev at lists.okfn.org
>>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20171010/9316ad90/attachment-0003.html>

More information about the ckan-dev mailing list