0

I am trying to build a simple HTTPS server with Python3 using the socket and ssl modules. I have a self signed certificate and a private key files generated by OpenSSL and I tried to use them with the ssl module but every time I try, I get a "ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)" error. My code is

import socket
import ssl
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
    context.load_cert_chain(certfile='cert.pem', keyfile='my_key.key')
    context.verify_mode = ssl.CERT_NONE
    sock = socket.socket()
    sock.bind(('', 443))
    sock.listen(5)
    while True:
        new_conn, addr = sock.accept()
        ssl_conn = context.wrap_socket(new_conn, server_side=True)
        print(ssl_conn.recv(1024).decode())     # this is where i get the error

The error I get is:

  File "C:\AllInOne\PortableApps\Python374\lib\ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)

Does anyone know why this happens or how to fix it?

Improve this question

2 Answers 2

Reset to default
5

Generate server.pem with the following command:

mkdir .ssh
openssl req -new -x509 -keyout .ssh/key.pem -out .ssh/cert.pem -days 365 -nodes

run as follows:

python3 simple-https-server.py

Then in your browser, visit:

https://localhost:4443

Here is the code:

import http.server
from http.server import HTTPServer, BaseHTTPRequestHandler, SimpleHTTPRequestHandler
import ssl
import sys

# This class will handles any incoming request from the browser
class myHandler(BaseHTTPRequestHandler):
    # Handler for the GET requests
    def do_GET(self):
        print(self.requestline)
        # print(self.rfile.read(content_length))
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        # Send the html message
        self.wfile.write("Hello World !".encode())
        return


try:
    separator = "-" * 80
    server_address = ("", 4443)
    # server_address = ('localhost', 4443)
    httpd = http.server.HTTPServer(server_address, myHandler)
    # httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
    httpd.socket = ssl.wrap_socket(
        httpd.socket,
        server_side=True,
        certfile=".ssh/cert.pem",
        keyfile=".ssh/key.pem",
        ssl_version=ssl.PROTOCOL_TLS,
    )
    print(separator)
    print("Server running on https://localhost:4443")
    print(separator)
    # Wait forever for incoming htto requests
    httpd.serve_forever()
except KeyboardInterrupt:
    print("^C received, shutting down the web server")
    server.socket.close()
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

ssl.wrap_socket() is already deprecated which I think is why post used context.wrap_socket() instead
1 
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)

The client signals your server that it is does not trust your certificate. Which is expected since this is not a certificate issued by a trusted CA and you did not make the client explicit trust this certificate. If the client would not complain it would be insecure since every man in the middle could just use a fake certificate to identify itself as a trusted server.

Improve this answer

4 Comments

Is threre a way to make it work? I dont mind the client's browser displaying the warning. I found code that works using the http.server modules and allows me to use the self signed cerificate without an error. This is the link to said code
is there a way to just disable this log?
@roocell: This log just shows that the client is not trusting the server. "Disabling the log" on the server side does not magically make the client trust the server - all what it does is to no longer show why you have a problem but the problem still exists and the problem does not want to communicate with the server.
@josh: The code you refer to does not make the client trust the server using a self-signed certificate. And your existing code should already result in a warning in the browser which you have to explicitly accept.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.