I’m trying to connect to web server that uses HTTPS client certificate authentication. It works fine when i use curl:
leo@leo-VirtualBox:~/development/pki-client$ curl --key admin.privkey.pem --cert admin.crt -k --url "https://ca.cloud.leotr.org/"
<!DOCTYPE html>
<html>
<head>
<title>Welcome to CA</title>
<link href="/static/bootstrap/css/bootstrap.min.css" rel="stylesheet"/>
</head>
<body>
<div class="container">
<h1>REMS CA server</h1>
<p class="lead">Hello and welcome to REMS CA. Currently this page is
almost empty. But you can download CA root certificate and install it
into your browser ;)</p>
<a class="btn btn-large btn-primary" href="/remspki/cacert/">Download CA certificate</a>
<a class="btn btn-large" href="/admin/">Go to Admin site <i class="icon-arrow-right"></i> </a>
</div>
</body>
</html>
Client private key file contents
leo@leo-VirtualBox:~/development/pki-client$ cat admin.privkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdN
ggw/D70jEfc7dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrg
EtRLyFFv3OB1sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qo
Ll7aBIpbugFew6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2
XUUMOqi+/jFmiXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi
/JR8dsm985c5KPLIxWVGK0VKC67catEY5j/70wIDAQABAoIBAAF+RwOhFmQIcBU7
kywMZ7XetGB6OTzSpBzzu5sjzLq4qqWtxfU00mL3gUzJPuQGE3Ldq986nhbR/mn3
6BkFpatsa8ypn0W9hYC8AK3KPPsmvGs+yCt/Lisxdv9PmcZc49LhWOtMBTMiYtFH
iTJdV5ToGT6kNirdLscxtCHsVe21EH2TMO4k06bK18UJFewswsyMN66FKX0wSF9w
yZ/9A9VJOaUOXo6Mos/tvyf9rjhOqb02DOqOuWVVFRWWax75+M2qKnacSuKfMPfc
21B3ulQRIcR7PjIVIMTZkLO+MjD7DBiywIcD50H1005cL05a8latjXdENY5Xeh9Z
duS4I5ECgYEA3BzbGf45gDzZWTeTjnfQ/9m3MuGmAzAG2zjStFQnquiMyH0IZzSB
/awKJxXcdO7cUXfjOWxIgA7nNj+ewOUXj5uQH9F+8cl+raxyEsixdPwfSzCyLcwD
Zp2SsoXKPRx12SrAbl5wQqePN6+pntLRmW8xfUKFZAhs5CtxQ6bymBkCgYEA1L+V
zas85TUITqZi0//lmdqWdfRhkHdIBkLsHxRE4RnEsfGqvy3XQZTQ0zLGjz4WtUSq
xjh0rK6jMGEGGypRM8G0kpfBpGFYu9Hy8hpFKDwnihfk/XnuaXBLiN82V8vVWGrl
tc5DrTHCxVbVW99W7IaVVLgY/D0kFI/195yYYMsCgYBGTIUBmTs+JLD6GJDs6IF8
pUkoW/8Md5NJAq3w4AvHPvxvr9c2NwPpQ7/+WbIOOpdtAZA1r8q784aOweTvEHvk
5rcyIlOb31GxIClSrHxYs4k/F29gxw6zAFJw59/+go90632IAmtyLlfEXjsbOZOt
oGC687rshvBYMzO6eqBySQKBgQCDG95x9Ql+J4SLE7br91PD0RXQc1587UWRtkRV
kuQv5PV2w/v5/YIehFt9DFmZhSXxZ/PmXHxqvuUKt4BP1XBdeQ6TGLrZVrScavJR
iSb9eLTVQYx5OV9X00B5hTW0PYWpC5esxwSmA3iIrM6n46dp9DarExkyuWs20NFA
W1z8qQKBgGD2XiB/N9QRVNW0CpuVgWx3HBllJpXT2QMeCx57AEeCmOnSkByyvYmR
Aszu2CQn2ynHO+3B46uJ+Sg2pmcEjvUrhERhRT23lpZY8VDGpfVjfQcqfVhwzrHQ
Y2kf6WV+C32klQ6bKOwwO9TavvKCloiENJfbRdLvGvswBVgnWlGW
-----END RSA PRIVATE KEY-----
Client certificate
leo@leo-VirtualBox:~/development/pki-client$ cat admin.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMRIwEAYKCZImiZPyLGQB
GRYCS1oxGDAWBgoJkiaJk/IsZAEZFghSQUlMV0FZUzEUMBIGCgmSJomT8ixkARkW
BFJFTVMxCzAJBgNVBAMTAkNBMB4XDTEyMTIyODIyNTI1MFoXDTE3MTIyNzIyNTI1
MFowbjESMBAGCgmSJomT8ixkARkWAktaMRgwFgYKCZImiZPyLGQBGRYIUkFJTFdB
WVMxFDASBgoJkiaJk/IsZAEZFgRSRU1TMSgwEgYDVQQDEwtMZW8gVHJ1YmFjaDAS
BgoJkiaJk/IsZAEBEwRBMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtuyfxqDJghI9F0hyqTA2rl/RrBIL/B0oemxou0obC6xwIqdNggw/D70jEfc7
dqc5ZIsek50aDHsWeLyP/uvBWYYWh55anF9Wu1ZUHhsqS3fmJtrgEtRLyFFv3OB1
sdflGAHRajL1jADvF52n6FUl67/z6bqGfvimszD2utdBk2H3B1qoLl7aBIpbugFe
w6TiGzCUnQNGTbfxJEF9K3tLjhHN06vJg++rqmTT4Lkg4Uoi6Hn2XUUMOqi+/jFm
iXjtTIGHPRzvm1OgjC/9Yr6IEUJyhs0V5XEGHVcUTfw+YfK1DTPi/JR8dsm985c5
KPLIxWVGK0VKC67catEY5j/70wIDAQABoz8wPTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIC/DAdBgNVHQ4EFgQUbmKGUje1HCUQVd//jZjJmgYJ2mswDQYJKoZI
hvcNAQEFBQADggEBALJEtadF5zPh6pJzj0c2vLISnZ4jBi6aaCOvz1Ph2gFrI9te
mvXVnlFLe7JJxStDlLurQ+hLqY9Q8vIczAEp2r9uJyfBpeHsc0YP6UbOXg6WLHLl
fU0tKb9PqfcMwfKUH8Nb6Q6Kt5EuQzIraYweXHNyOiKSB3ZogjPVdZnoe5gXYUpG
5cE8k2SjGVEWxc94ygcbiN+ziaUz/jos+TwqgsBp+yel0frO3DKGqQjfuOLgeTpf
xaNlPXdzFfEn0VWva36skrRzHNwZESI/Dd626eyUfxuTLLq5+Gb1D8WZj5RRqu1n
I9cZs9gCmZswWQy2/cExRPhgSWbwUWOhOCQsFVo=
-----END CERTIFICATE-----
Python code:
leo@leo-VirtualBox:~/development/pki-client$ cat httpstest.py
from httplib import HTTPSConnection
from config import ADMIN_CERT, ADMIN_KEY
h = HTTPSConnection(
'ca.cloud.leotr.org', 443, key_file=ADMIN_KEY, cert_file=ADMIN_CERT)
h.request('GET', '/')
resp = h.getresponse()
print(resp.status)
print(resp.read())
Output:
leo@leo-VirtualBox:~/development/pki-client$ python httpstest.py
400
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
Let’s try more level Python code
leo@leo-VirtualBox:~/development/pki-client$ cat ssltest.py
from config import ADMIN_CERT, ADMIN_KEY
import socket
import ssl
sock = socket.create_connection(('ca.cloud.leotr.org', 443), None)
print('Admin key: ', ADMIN_KEY)
print('Admin cert', ADMIN_CERT)
sslsock = ssl.wrap_socket(
sock, keyfile=ADMIN_KEY, certfile=ADMIN_CERT)
request = ('GET / HTTP/1.1',
'Host: ca.cloud.leotr.org',
'Accept: text/html',
'Accept-Encoding: gzip,deflate,sdch')
request_body = '\n'.join(request) + '\n'*2
sslsock.write(request_body)
response = sslsock.read()
print response
Python result
leo@leo-VirtualBox:~/development/pki-client$ python ssltest.py
('Admin key: ', 'admin.privkey.pem')
('Admin cert', 'admin.crt')
HTTP/1.1 400 Bad Request
Server: nginx/1.1.19
Date: Fri, 04 Jan 2013 04:59:52 GMT
Content-Type: text/html
Content-Length: 231
Connection: close
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
So i can’t understand what’s wrong.
The problem here is that you’re trying to connect to a CA that isn’t in the default CA list. Since the CA site’s cert is signed by the CA, the site cannot be visited over SSL until you first download the cert and install it.
The HTML result shows that there are instructions to “download CA root certificate and install it into your browser”. If you don’t do that, you get an error from your browser saying something like:
Likewise, if you try it with
curl, you get the same error:The only reason this is working for
curlis that you’ve specified the-kflag, aka--insecure. From the man page:And again, in your Python code, you’re getting the same error.
The solution, in all three cases, is the same: Download the CA’s cert and put it in your cert store (or explicitly use it in place of your default cert store).