Skip to content

Instantly share code, notes, and snippets.

@GrahamDumpleton

GrahamDumpleton/gist:b79d336569054882679e

Last active January 10, 2020 22:05
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save GrahamDumpleton/b79d336569054882679e to your computer and use it in GitHub Desktop.
Save GrahamDumpleton/b79d336569054882679e to your computer and use it in GitHub Desktop.
Download ZIP
Running HTTPS and client authentication with mod_wsgi-express.
Raw
gistfile1.md

Note that for client authentication the very latest mod_wsgi-express version is required.

For now this means installing from from the git repo. To install run:

pip install -U https://github.com/GrahamDumpleton/mod_wsgi/archive/develop.zip

To create a self signed server certificate so that can run HTTPS use:

# Step 1: Generate a Private Key
openssl genrsa -des3 -out server.key 1024

# Step 2: Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr

# Step 3: Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

# Step 4: Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

To create a client certification for client authentication use:

# Step 1: Create the CA Key and Certificate for signing Client Certs.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Step 2: Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

# Step 3: Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Then run mod_wsgi-express as:

mod_wsgi-express start-server --log-to-terminal --startup-log --https-port 8443 --https-only --server-name ssl.example.com --ssl-certificate-file ssl-certs/server.crt --ssl-certificate-key-file ssl-certs/server.key --ssl-ca-certificate-file ssl-certs/ca.crt

Set --server-name to the actual FQDN used in the server certificate.

One can use curl against the site as:

curl --insecure --cert client.crt --key client.key https://ssl.example.com:8443
@glenlandau
Copy link

Hi, since I updated the mod_wsgi-expres using the command you tell, I'm getting the following error "/etc/mod_wsgi-express-80/apachectl: 89: exec: -a: not found". Have no idea why...

@sanjeevp123
Copy link

I tried and getting error

  • Rebuilt URL to: https://10.237.172.121:8443/
  • Trying 10.237.172.121...
  • Connected to 10.237.172.121 (10.237.172.121) port 8443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 594 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • error reading X.509 key or certificate file: Error while reading file.
  • Closing connection 0
    curl: (35) error reading X.509 key or certificate file: Error while reading file.

@GrahamDumpleton
Copy link
Author

If you have questions about mod_wsgi, use the mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment