Fails to load cert chain when using signed certificates

[tjtaill]

Hi I believe there is bug at

https://github.com/pgjones/hypercorn/blob/master/hypercorn/config.py#L158

when I use quart with signed certificate in quart as follows

app.run(ca_certs='ca.crt', certfile='cert.crt', kefile='key.pem')

I get the following

hypercorn/config.py", line 158, in create_ssl_context
context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3824)

I believe line https://github.com/pgjones/hypercorn/blob/master/hypercorn/config.py#L160
should be called before

https://github.com/pgjones/hypercorn/blob/master/hypercorn/config.py#L158

anyways I have reverted to unsigned certs for now and will probably just use gunicorn
but I thought I would let you know about this bug and thank you for your quart project
which I am really loving

[pgjones]

Thanks, I've not seen this before, could you try this patch?

diff --git a/hypercorn/config.py b/hypercorn/config.py
index 1ebf116..61f8bce 100644
--- a/hypercorn/config.py
+++ b/hypercorn/config.py
@@ -155,13 +155,13 @@ class Config:
         except NotImplementedError:
             pass  # NPN is not necessarily available
 
-        context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile)
-        if self.ca_certs is not None:
-            context.load_verify_locations(self.ca_certs)
         if self.verify_mode is not None:
             context.verify_mode = self.verify_mode
         if self.verify_flags is not None:
             context.verify_flags = self.verify_flags
+        if self.ca_certs is not None:
+            context.load_verify_locations(self.ca_certs)
+        context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile)
 
         return context

[tjtaill]

I will try the patch sorry been busy learning azure

[tjtaill]

I tried you patch it didn't work unfortunately. Tried a couple of other things as well like loading the cafile in the creation of the ssl context that didn't work either. There might be something wrong with my certificates I will try with another server or maybe try with pure python ssl and see if I can get that to work

[pgjones]

Hmm, this is weird. Please update with what you find.

[tjtaill]

Ok sorry I took so long in the end there is nothing wrong with hypercorn's code I have it working fine
it was just very complicated to figure out how to setup the certificate chain so that it would be trusted is all. There was a bug in the key file generated by the provider as well.

[pgjones]

Do the hypercorn docs on SSL setup need improving, or was the complication outside of hypercorn?

[tjtaill]

Do the hypercorn docs on SSL setup need improving, or was the complication outside of hypercorn?

The complication is from python SSL, you need to pip install certifi to get the CA file you need, and then setup your certfile file in following format

certificate
intermediate certificates
root certificate

they have to be in the correct order and the root certificate has to be in the ca file as well

the python ssl docs are not great either it seems to suggest you should use the verify_mode to
CERT_REQUIRED but this is wrong and what it means is the client has to supply a valid certificate which you don't want

here is my hypercorn python config file I use

import certifi

bind = ['0.0.0.0:443']
ca_certs = certifi.where()
certfile = 'cert_prod.pem'
keyfile = 'key_prod.pem'

go daddy also gave me a corrupted key file so I needed to debug that as well

so goes my adventures in python ssl