[ckan-dev] Possible to Run paster serve Under SSL?
Tyler Kennedy
tk at tkte.ch
Tue Oct 10 17:54:44 UTC 2017
Hello Cam,
I do not believe so, running it this way is *strongly* discouraged. There
are already several organizations I have found that are running paster as
their production server, we do not want to encourage it.
All options under [server:main] are also universal Pylons options untouched
by CKAN and can be found in the pylons documentation.
Thank you,
--
Tyler Kennedy
On October 10, 2017 at 1:52:11 PM, Cam Findlay (cam at camfindlay.com) wrote:
Perhaps worth adding to the CKAN docs?
On Wed, 11 Oct 2017 at 6:40 AM, Nathan Hook <nhook at ucar.edu> wrote:
> Thank you for the reply Tyler.
>
> Things are working now, but here are a couple of quick notes for others in
> the future...
>
> - pyOpenSSL must be installed:
> https://pyopenssl.org/en/stable/install.html
>
> - Trying ssl_pem=* did not work for us. We received the following error
> when starting paster serve:
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ee key
> too small')]
>
> My guess is that ssl_pem=* is creating a 256 or (more likely) a 512 length
> key and I am also guessing that the openssl libraries no longer accept keys
> that short.
>
> So, we followed the instructions from the link you sent us, but with a
> couple of small tweaks:
>
> $ openssl genrsa 2048 > host.key
> $ chmod 400 host.key
> $ openssl req -new -x509 -nodes -sha256 -days 3650 \
> -key host.key > host.cert
> $ cat host.cert host.key > host.pem
> $ chmod 400 host.pem
>
> Our tweaks included the following:
> - Changing the key size from 1024 to 2048
> - Changing the expiration date from 365 days to 3650 days (10 years)
> - Changing the signing of the certificate from sha1 to sha256 (which I
> think is considered sha2)
>
> Here is the link to the documentation you sent us:
>
> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
>
> Once we set the ssl_pem=/usr/lib/ckan/host.pem everything worked great.
>
>
> Thank you for your time and knowledge. Both are very much appreciated.
>
> Regards,
>
> Nathan
>
>
>
> On Tue, Oct 10, 2017 at 11:07 AM, Tyler Kennedy <tk at tkte.ch> wrote:
> >
> > My apologies Nathan, I had a typo in my original reply. It's ssl_pem not
> ssl_perm. It can either be a path to your PEM file or an asterisk, in which
> case a temporary certificate will be generated.
> >
> > You can find the documentation on available options here,
> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
> >
> > On Tue, Oct 10, 2017 at 12:54 PM, Nathan Hook <nhook at ucar.edu> wrote:
> >>
> >> Good Day,
> >>
> >> We tried adding ssl_perm=* to our .ini file and we received the
> following exception when running paster serve <.ini_file_location> start:
> >>
> >> Traceback (most recent call last):
> >> File "/usr/lib/ckan/default/bin/paster", line 11, in <module>
> >> sys.exit(run())
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 102, in run
> >> invoke(command, command_name, options, args[1:])
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 141, in invoke
> >> exit_code = runner.run(args)
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
> line 236, in run
> >> result = self.command()
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
> line 319, in command
> >> serve()
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
> line 303, in serve
> >> server(app)
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/loadwsgi.py",
> line 189, in server_wrapper
> >> **context.local_conf)
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
> line 58, in fix_call
> >> reraise(*exc_info)
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/compat.py",
> line 23, in reraise
> >> exec('raise t, e, tb', dict(t=t, e=e, tb=tb))
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
> line 55, in fix_call
> >> val = callable(*args, **kw)
> >> File
> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/httpserver.py",
> line 1342, in server_runner
> >> serve(wsgi_app, **kwargs)
> >> TypeError: serve() got an unexpected keyword argument 'ssl_perm'
> >>
> >>
> >> Is there something that we are doing wrong?
> >>
> >> Full disclosure, we are currently running ckan 2.5.2. Is the ssl_perm
> property for newer versions of ckan only?
> >>
> >> Also, after performing a google search, I was unable to find any
> information out about the ssl_perm property. Is there any documentation
> any where that describes how that property works?
> >>
> >> Thank you for your time,
> >>
> >> Nathan
> >>
> >> On Mon, Oct 9, 2017 at 10:42 AM, Tyler Kennedy <tk at tkte.ch> wrote:
> >>>
> >>> Hello Nathan,
> >>>
> >>> Yes it is. In your .ini file under [server:main] add ssl_perm=*.
> >>>
> >>> However, this should only be used for development. Paster is not an
> acceptable server to use for production, and the * will generate a
> temporary development certificate.
> >>>
> >>> Thank you,
> >>> Tyler Kennedy
> >>>
> >>> On Mon, Oct 9, 2017 at 11:27 AM, Nathan Hook <nhook at ucar.edu> wrote:
> >>>>
> >>>> Good Day,
> >>>>
> >>>> Is it possible to run the paster serve command under SSL?
> >>>>
> >>>> Any friendly information or direction would be greatly appreciated.
> >>>>
> >>>> Thank you for your time,
> >>>>
> >>>> Nathan
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> ckan-dev mailing list
> >>>> ckan-dev at lists.okfn.org
> >>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> ckan-dev mailing list
> >>> ckan-dev at lists.okfn.org
> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>>
> >>
> >>
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >>
> >
> >
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
> >
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
_______________________________________________
ckan-dev mailing list
ckan-dev at lists.okfn.org
https://lists.okfn.org/mailman/listinfo/ckan-dev
Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20171010/2d561ef9/attachment-0003.html>
More information about the ckan-dev
mailing list