CODEWITHSUNDEEP
pythonsslhttpsssl-certificatetornado
Tobi
Tobi

Reputation: 540

Tornado https ssl error

When I kick off my tornado https server, I am asked for a PEM password (which I did not set, so I just hit enter)

Enter PEM pass phrase: 2013-10-17 14:24:46,730 ioloop.py:660 Exception
in I/O handler for fd 3 Traceback (most recent call last):   File
"/usr/lib/python2.7/site-packages/tornado/ioloop.py", line 653, in
start
    self._handlers[fd](fd, events)   File "/usr/lib/python2.7/site-packages/tornado/stack_context.py", line 241,
in wrapped
    callback(*args, **kwargs)   File "/usr/lib/python2.7/site-packages/tornado/netutil.py", line 141, in
accept_handler
    callback(connection, address)   File "/usr/lib/python2.7/site-packages/tornado/tcpserver.py", line 212, in
_handle_connection
    do_handshake_on_connect=False)   File "/usr/lib/python2.7/site-packages/tornado/netutil.py", line 322, in
ssl_wrap_socket
    return ssl.wrap_socket(socket, **dict(context, **kwargs))   File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)   File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers) SSLError: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Enter
PEM pass phrase:

I generated the keys with these instructions: http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/ Then modified the tornado spin-up as the following

SSL_OPTIONS = {
    "certfile": "path/to/crt",
    "keyfile": "path/to/private/key", } 
https_server = tornado.httpserver.HTTPServer(application, ssl_options=SSL_OPTIONS)

I can't find any solution to this problem. I am using the latest tornado version and python 2.7

Thanks!

Upvotes: 1

Views: 2207

Answers (1)

Ben Darnell
Ben Darnell

Reputation: 22134

If you followed the instructions on that page, your key still has a password, it's just empty. I'm not sure if it's possible to use a key with a password non-interactively in Python 2 (the SSLContext.load_cert_chain method for this is new in Python 3.2). You can create a key with no password at all (which will disable the prompt) by changing -des3 to -nodes in the first step: openssl genrsa -nodes -out www.thegeekstuff.com.key 1024 (and then repeating the remaining steps for the new key), or using openssl rsa to strip the password from the key you've already got (see http://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html)

Upvotes: 2

Related Questions