[ckan-dev] Possible to Run paster serve Under SSL?

Cam Findlay cam at camfindlay.com
Tue Oct 10 17:51:52 UTC 2017


Perhaps worth adding to the CKAN docs?

On Wed, 11 Oct 2017 at 6:40 AM, Nathan Hook <nhook at ucar.edu> wrote:

> Thank you for the reply Tyler.
>
> Things are working now, but here are a couple of quick notes for others in
> the future...
>
> - pyOpenSSL must be installed:
> https://pyopenssl.org/en/stable/install.html
>
> - Trying ssl_pem=* did not work for us.  We received the following error
> when starting paster serve:
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ee key
> too small')]
>
> My guess is that ssl_pem=* is creating a 256 or (more likely) a 512 length
> key and I am also guessing that the openssl libraries no longer accept keys
> that short.
>
> So, we followed the instructions from the link you sent us, but with a
> couple of small tweaks:
>
> $ openssl genrsa 2048 > host.key
> $ chmod 400 host.key
> $ openssl req -new -x509 -nodes -sha256 -days 3650  \
>               -key host.key > host.cert
> $ cat host.cert host.key > host.pem
> $ chmod 400 host.pem
>
> Our tweaks included the following:
> - Changing the key size from 1024 to 2048
> - Changing the expiration date from 365 days to 3650 days (10 years)
> - Changing the signing of the certificate from sha1 to sha256 (which I
> think is considered sha2)
>
> Here is the link to the documentation you sent us:
>
> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
>
> Once we set the ssl_pem=/usr/lib/ckan/host.pem everything worked great.
>
>
> Thank you for your time and knowledge.  Both are very much appreciated.
>
> Regards,
>
> Nathan
>
>
>
> On Tue, Oct 10, 2017 at 11:07 AM, Tyler Kennedy <tk at tkte.ch> wrote:
> >
> > My apologies Nathan, I had a typo in my original reply. It's ssl_pem not
> ssl_perm. It can either be a path to your PEM file or an asterisk, in which
> case a temporary certificate will be generated.
> >
> > You can find the documentation on available options here,
> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
> >
> > On Tue, Oct 10, 2017 at 12:54 PM, Nathan Hook <nhook at ucar.edu> wrote:
> >>
> >> Good Day,
> >>
> >> We tried adding ssl_perm=* to our .ini file and we received the
> following exception when running paster serve <.ini_file_location> start:
> >>
> >> Traceback (most recent call last):
> >>   File "/usr/lib/ckan/default/bin/paster", line 11, in <module>
> >>     sys.exit(run())
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 102, in run
> >>     invoke(command, command_name, options, args[1:])
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 141, in invoke
> >>     exit_code = runner.run(args)
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 236, in run
> >>     result = self.command()
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
> line 319, in command
> >>     serve()
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
> line 303, in serve
> >>     server(app)
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/loadwsgi.py",
> line 189, in server_wrapper
> >>     **context.local_conf)
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
> line 58, in fix_call
> >>     reraise(*exc_info)
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/compat.py",
> line 23, in reraise
> >>     exec('raise t, e, tb', dict(t=t, e=e, tb=tb))
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
> line 55, in fix_call
> >>     val = callable(*args, **kw)
> >>   File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/httpserver.py",
> line 1342, in server_runner
> >>     serve(wsgi_app, **kwargs)
> >> TypeError: serve() got an unexpected keyword argument 'ssl_perm'
> >>
> >>
> >> Is there something that we are doing wrong?
> >>
> >> Full disclosure, we are currently running ckan 2.5.2.  Is the ssl_perm
> property for newer versions of ckan only?
> >>
> >> Also, after performing a google search, I was unable to find any
> information out about the ssl_perm property.  Is there any documentation
> any where that describes how that property works?
> >>
> >> Thank you for your time,
> >>
> >> Nathan
> >>
> >> On Mon, Oct 9, 2017 at 10:42 AM, Tyler Kennedy <tk at tkte.ch> wrote:
> >>>
> >>> Hello Nathan,
> >>>
> >>> Yes it is. In your .ini file under [server:main] add ssl_perm=*.
> >>>
> >>> However, this should only be used for development. Paster is not an
> acceptable server to use for production, and the * will generate a
> temporary development certificate.
> >>>
> >>> Thank you,
> >>> Tyler Kennedy
> >>>
> >>> On Mon, Oct 9, 2017 at 11:27 AM, Nathan Hook <nhook at ucar.edu> wrote:
> >>>>
> >>>> Good Day,
> >>>>
> >>>> Is it possible to run the paster serve command under SSL?
> >>>>
> >>>> Any friendly information or direction would be greatly appreciated.
> >>>>
> >>>> Thank you for your time,
> >>>>
> >>>> Nathan
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> ckan-dev mailing list
> >>>> ckan-dev at lists.okfn.org
> >>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> ckan-dev mailing list
> >>> ckan-dev at lists.okfn.org
> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>>
> >>
> >>
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>
> >
> >
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20171010/8f68d2fc/attachment-0003.html>


More information about the ckan-dev mailing list