1

I'm trying to get CherryPy to use SSL.

The first issue I encountered was it was not supported on that current version available on Ubuntu, so I've upgraded to the latest version and got it working with self signed certificates.

I then got certificates that are chained, from GoDaddy. I provide them with the output of this command:

openssl req -new -newkey rsa:2048 -nodes -out  [private info]

They then returned two files, a .crt and a gd_bundle.crt. The first contains: one -----BEGIN CERTIFICATE----- certificate -----END CERTIFICATE-----

The second contains 3, like above.

Does CherryPy work with chained certificates? I've seen this link that states it needs patching and tried as suggested, but the patch failed and the method did not work.

Please can someone explain what I'm missing or how to resolve this.

SvaLopLop
  • 975
  • 1
  • 9
  • 14

1 Answers1

2

CherryPy supports intermediary certificates at least since 2011 (not sure about version). It is also documented, and if you precisely read Deploy SSL support documentation section, you would have noticed the following.

If you have a certificate chain at hand, you can also specify it: cherrypy.server.ssl_certificate_chain = "certchain.perm"

As you may know latest release CherryPy 3.6 has SSL socket problem, but it was fixed in development branch and you can install it from the repo, like:

pip install hg+https://bitbucket.org/cherrypy/cherrypy

Test may look like this.

#!/usr/bin/env python
# -*- coding: utf-8 -*-


import cherrypy


config = {
  'global' : {
    'server.socket_host' : '127.0.0.1',
    'server.socket_port' : 8080,
    'server.thread_pool' : 8,

    'server.ssl_module'            : 'pyopenssl',
    'server.ssl_certificate'       : '/path/to/certs/domain.com.crt',
    'server.ssl_certificate_chain' : '/path/to/certs/ssl123_ca_bundle.pem',
    'server.ssl_private_key'       : '/path/to/certs/domain.com.key',
  }
}


class App:

  @cherrypy.expose
  def index(self):
    return '<em>Is this secure?</em>'


if __name__ == '__main__':
  cherrypy.quickstart(App(), '/', config)

Related security warning

Make sure you read this question. I strongly recommend you to use Python 2.7.9+ or Python 3.4+ for security reasons or pyOpenSSL with latest OpenSSL available to you. Also don't forget to test your deployment with comprehensive SSL tester, Qualys's for instance.

Community
  • 1
  • 1
saaj
  • 23,253
  • 3
  • 104
  • 105