(Python) Add certificate to Bottle server

Question

I am stuck with a problem for some time and can't find a right solution for it.

I have a python server based on Bottle (Python 3) written with PyCharm. I'm converting my files with "pyinstaller" to one "exe" to start the server on a fixed PC (win7). The server works fine for the things it is needed for but now I want to add more secuity to it.

I have a signed certificate (not self-signed) and a key, which I want to add. I tried to start the server with them but I'm not sure, if I have to do something else with them, because the certificate is not shown on the homepage in the information and the website is still shown as not save.

My normal server is running with:

from bottle import run, ...
...
if __name__ == "__main__":
   ...
   run(host=IP, port=PORT)

I have tried some frameworks for bottle and I end up with cherrypy as the one, that starts my server in a proper way. The server is running with:

run(host=IP, port=PORT, server='cherrypy', certfile='./static/MyCert.pem', keyfile='./static/key.pem')

It is not working with the current version of cherrypy, so I downgraded it (after some search) to ">=3.0.8, <9.0.0". The server is running, but the website is still not save. And I don't know if it just does not load the certificate or I miss something else. I tried things like leaving the "keyfile" in the code or adding the key to my certificate, but it does not change anything.

Another framework I tried was gevent:

from gevent import monkey; monkey.patch_all()
...
if __name__ == "__main__":
  run(host=IP, port=PORT, reloader=False, server='gevent', certfile='./static/MyCert.pem', keyfile='./static/key.pem')

But here I can't get to the website. When I try, the terminal asks me for the PEM phrase, but I can't add it (or just don't know how) and getting an error I have never seen before: terminal_error

Like in my cherrypy-example I tried to use some combinations of leaving parts of the code away or changing the certificate but it always ends up here.

It would be nice if someone has a solution for my problem or can give me a hint of what I'm missing or just have not thought of yet. I would like to stay with cherrypy or another framework for Bottle, so I don't have to change much of my current code.

Thanks

P.

Answer 1

It sounds to me like you added a passphrase to your certificate. Regenerate your cert without a passphrase and try again.

Additionally, a word of advice. I highly recommend running your bottle/cherrypy server behind nginx in reverse proxy mode. This simplifies your configuration by letting nginx handle the termination of your SSL session, and then your python web server never needs to know anything about a certificate.

Here's a redacted copy of the nginx config we're using to terminate our (self-signed) SSL cert and reverse proxy our cherrypy site running on localhost on port 9000:

server {
  listen   example.com:80;
  server_name  test.example.com;
  access_log  /var/log/nginx/test.example.com.access.log main;
  return 301 https://test.example.com$request_uri;
}

server {
    listen   example.com:443;
    access_log  /var/log/nginx/test.example.com.access.log main;
    server_name test.example.com;
    root /usr/local/www/test.example.com/html;
    ssl                  on;
    ssl_certificate      /etc/ssl/test.example.com.crt;
    ssl_certificate_key  /etc/ssl/test.example.com.key;
    ssl_session_timeout  5m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  # don't use SSLv3 ref: POODLE
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    client_max_body_size 16M;

    # Block access to "hidden" files and directories whose names begin with a
    # period. This includes directories used by version control systems such
    # as Subversion or Git to store control files.
    location ~ (^|/)\. {
     return 403;
    }

    location / {
    proxy_pass http://127.0.0.1:9000;
    proxy_set_header X-REAL-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}