[ckan-dev] Possible to Run paster serve Under SSL?

Cam Findlay cam at camfindlay.com
Tue Oct 10 19:07:03 UTC 2017


Cheers Tyler

In that case, is there something to be done to better promote good practice
not to use paster in production?

C.




On Wed, 11 Oct 2017 at 6:54 AM, Tyler Kennedy <tk at tkte.ch> wrote:

> Hello Cam,
>
> I do not believe so, running it this way is *strongly* discouraged. There
> are already several organizations I have found that are running paster as
> their production server, we do not want to encourage it.
>
> All options under [server:main] are also universal Pylons options
> untouched by CKAN and can be found in the pylons documentation.
>
> Thank you,
>
> --
> Tyler Kennedy
>
> On October 10, 2017 at 1:52:11 PM, Cam Findlay (cam at camfindlay.com) wrote:
>
> Perhaps worth adding to the CKAN docs?
>
> On Wed, 11 Oct 2017 at 6:40 AM, Nathan Hook <nhook at ucar.edu> wrote:
>
>> Thank you for the reply Tyler.
>>
>> Things are working now, but here are a couple of quick notes for others
>> in the future...
>>
>> - pyOpenSSL must be installed:
>> https://pyopenssl.org/en/stable/install.html
>>
>> - Trying ssl_pem=* did not work for us.  We received the following error
>> when starting paster serve:
>> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ee key
>> too small')]
>>
>> My guess is that ssl_pem=* is creating a 256 or (more likely) a 512
>> length key and I am also guessing that the openssl libraries no longer
>> accept keys that short.
>>
>> So, we followed the instructions from the link you sent us, but with a
>> couple of small tweaks:
>>
>> $ openssl genrsa 2048 > host.key
>> $ chmod 400 host.key
>> $ openssl req -new -x509 -nodes -sha256 -days 3650  \
>>               -key host.key > host.cert
>> $ cat host.cert host.key > host.pem
>> $ chmod 400 host.pem
>>
>> Our tweaks included the following:
>> - Changing the key size from 1024 to 2048
>> - Changing the expiration date from 365 days to 3650 days (10 years)
>> - Changing the signing of the certificate from sha1 to sha256 (which I
>> think is considered sha2)
>>
>> Here is the link to the documentation you sent us:
>>
>> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
>>
>> Once we set the ssl_pem=/usr/lib/ckan/host.pem everything worked great.
>>
>>
>> Thank you for your time and knowledge.  Both are very much appreciated.
>>
>> Regards,
>>
>> Nathan
>>
>>
>>
>> On Tue, Oct 10, 2017 at 11:07 AM, Tyler Kennedy <tk at tkte.ch> wrote:
>> >
>> > My apologies Nathan, I had a typo in my original reply. It's ssl_pem
>> not ssl_perm. It can either be a path to your PEM file or an asterisk, in
>> which case a temporary certificate will be generated.
>> >
>> > You can find the documentation on available options here,
>> https://web.archive.org/web/20161010013127/http://pythonpaste.org:80/modules/httpserver.html
>> >
>> > On Tue, Oct 10, 2017 at 12:54 PM, Nathan Hook <nhook at ucar.edu> wrote:
>> >>
>> >> Good Day,
>> >>
>> >> We tried adding ssl_perm=* to our .ini file and we received the
>> following exception when running paster serve <.ini_file_location> start:
>> >>
>> >> Traceback (most recent call last):
>> >>   File "/usr/lib/ckan/default/bin/paster", line 11, in <module>
>> >>     sys.exit(run())
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
>> line 102, in run
>> >>     invoke(command, command_name, options, args[1:])
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
>> line 141, in invoke
>> >>     exit_code = runner.run(args)
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py",
>> line 236, in run
>> >>     result = self.command()
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
>> line 319, in command
>> >>     serve()
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/serve.py",
>> line 303, in serve
>> >>     server(app)
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/loadwsgi.py",
>> line 189, in server_wrapper
>> >>     **context.local_conf)
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
>> line 58, in fix_call
>> >>     reraise(*exc_info)
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/compat.py",
>> line 23, in reraise
>> >>     exec('raise t, e, tb', dict(t=t, e=e, tb=tb))
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/deploy/util.py",
>> line 55, in fix_call
>> >>     val = callable(*args, **kw)
>> >>   File
>> "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/httpserver.py",
>> line 1342, in server_runner
>> >>     serve(wsgi_app, **kwargs)
>> >> TypeError: serve() got an unexpected keyword argument 'ssl_perm'
>> >>
>> >>
>> >> Is there something that we are doing wrong?
>> >>
>> >> Full disclosure, we are currently running ckan 2.5.2.  Is the ssl_perm
>> property for newer versions of ckan only?
>> >>
>> >> Also, after performing a google search, I was unable to find any
>> information out about the ssl_perm property.  Is there any documentation
>> any where that describes how that property works?
>> >>
>> >> Thank you for your time,
>> >>
>> >> Nathan
>> >>
>> >> On Mon, Oct 9, 2017 at 10:42 AM, Tyler Kennedy <tk at tkte.ch> wrote:
>> >>>
>> >>> Hello Nathan,
>> >>>
>> >>> Yes it is. In your .ini file under [server:main] add ssl_perm=*.
>> >>>
>> >>> However, this should only be used for development. Paster is not an
>> acceptable server to use for production, and the * will generate a
>> temporary development certificate.
>> >>>
>> >>> Thank you,
>> >>> Tyler Kennedy
>> >>>
>> >>> On Mon, Oct 9, 2017 at 11:27 AM, Nathan Hook <nhook at ucar.edu> wrote:
>> >>>>
>> >>>> Good Day,
>> >>>>
>> >>>> Is it possible to run the paster serve command under SSL?
>> >>>>
>> >>>> Any friendly information or direction would be greatly appreciated.
>> >>>>
>> >>>> Thank you for your time,
>> >>>>
>> >>>> Nathan
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> ckan-dev mailing list
>> >>>> ckan-dev at lists.okfn.org
>> >>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> ckan-dev mailing list
>> >>> ckan-dev at lists.okfn.org
>> >>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> ckan-dev mailing list
>> >> ckan-dev at lists.okfn.org
>> >> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> >> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >>
>> >
>> >
>> > _______________________________________________
>> > ckan-dev mailing list
>> > ckan-dev at lists.okfn.org
>> > https://lists.okfn.org/mailman/listinfo/ckan-dev
>> > Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>> >
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20171010/415349a9/attachment-0003.html>


More information about the ckan-dev mailing list