1

I've seemingly done everything according to docs but SSL just does not work.
Here's my CherryPy settings.conf:

[global]
request.show_tracebacks = False
server.socket_port = 443
server.thread_pool = 10
log.screen = True
log.error_file = '/root/website/Web.log'
log.access_file = '/root/website/Access.log'
cherrypy.server.ssl_module = 'pyopenssl'
cherrypy.server.ssl_certificate = "/etc/ssl/website/AddTrustExternalCARoot.crt"
cherrypy.server.ssl_private_key = "/etc/ssl/website/btcontract_com.key"
cherrypy.server.ssl_certificate_chain = "/etc/ssl/website/chain.crt"

If I try to load site.com:443 in browser it works without using a certificate.
If I try https://site.com the browser says there's an SSL connect error.

CherryPy error and connection logs contain nothing at all as if it does not even getting these https requests. I'm not sure if my python has built in SSL support so I did installed pyOpenSSL. What's going on and how can I fix this?

src091
  • 2,807
  • 7
  • 44
  • 74
  • 1
    `btcontract.com:443` is undoubtedly doing a plain http requests, since you're not telling the browser to use https. Without forcing the protcol by using the `https://...` protocol prefix on the url, the browser will use plain http - just because you're hitting 443 won't magically convert that plain request to https. so.. ssl isn't working on your server. – Marc B Nov 19 '14 at 14:09
  • @MarcB OK, thanks. Sadly this does not solve my problem. – src091 Nov 19 '14 at 14:25
  • I have nginx in front of cherrypy which handles the https redirect. check this answer out... http://stackoverflow.com/questions/7237830/https-to-http-using-cherrypy – Andrew Kloos Nov 19 '14 at 14:49
  • @AndrewKloos why use nginx if CherryPy supposedly can handle HTTPS by itself? – src091 Nov 19 '14 at 15:03
  • nginx does some request throttling, handles ssl and serves static content. My biggest reason is that nginx handles DOS attacks well without disrupting non-offending clients. – Andrew Kloos Nov 19 '14 at 15:31
  • @AndrewKloos another good reason to use a front-end is to be able to use a privileged port (such as 443) without running as root (although you could do this with the DropPrivileges plugin). – Bruno Nov 19 '14 at 17:17

2 Answers2

2

There was a change in version 3.2.5 that broke SSL support. This hasn't been fixed yet (as of version 3.6.0), but there is a patch suggested in issue 1298 if you need to use one of these versions.

Bruno
  • 119,590
  • 31
  • 270
  • 376
0

Problem solved by installing a lower version on CherryPy (namely 3.2.3). Apparently something is wrong with SSL in 3.6.0

src091
  • 2,807
  • 7
  • 44
  • 74