10
"""Python HTTPS server"""

from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl

# https://stackoverflow.com/a/40822838/2715716
HTTPD = HTTPServer(('localhost', 4443), SimpleHTTPRequestHandler)

# Ubuntu on Windows:
# - Generate key:
# `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365`
# - Strip passphrase:
# `openssl rsa -in key.pem -out key-no-pass.pem`
HTTPD.socket = ssl.wrap_socket(HTTPD.socket,
                              keyfile='key-no-pass.pem', certfile='cert.pem', server_side=True)

HTTPD.serve_forever()

The above gives me ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:2846). Is there a way to know the mismatched values?

I tried using openssl verify -verbose -CAfile cert.pem in hopes it would tell me which values mismatch, but I don't know to use it and the command I wrote just opens some interactive prompt of sorts.

I don't know anything about certificates or Python, I only ever do python -m SimpleHTTPServer. This is me trying to get a self-signed certificate so Chrome would get off my back about having to use HTTPS for some WebRTC stuff to work on localhost.

jww
  • 97,681
  • 90
  • 411
  • 885
Tomáš Hübelbauer
  • 9,179
  • 14
  • 63
  • 125

1 Answers1

26

You get this error if the private key you've specified does not match the public key in the certificate you are trying to use. Please check that the private key you use matches the public key in the certificate. This can be done be comparing the output of the following commands which should be the same:

$ openssl x509 -noout -modulus -in cert.pem
$ openssl rsa -noout -modulus -in key-no-pass.pem
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • This is interesting. Both of the values are the same, programatically verified. – Tomáš Hübelbauer Jan 15 '17 at 09:19
  • @TomášHübelbauer: using exactly your code with the key and cert generated exactly like written in the comments in the code I don't get this error and the server works fine. Are you really sure that you access the same key and cert from the program as you've checked the modulus on? – Steffen Ullrich Jan 15 '17 at 09:26
  • I will quadruple check and come back, it must be that I'm reading a different cert somehow. -.- – Tomáš Hübelbauer Jan 16 '17 at 08:54
  • Yeah, it works now. Don't know why it didn't before. It's painfully slow to start up, but it works. Chrome doesn't trust this certificate, but it is enough to make it shut up about needing to be on secure origin to use some JS features. – Tomáš Hübelbauer Jan 16 '17 at 09:48
  • Comparing using diff: `diff <(openssl x509 -noout -modulus -in cert.pem) <(openssl rsa -noout -modulus -in key-no-pass.pem)` – Pascal Polleunus Aug 26 '20 at 17:34