Forbidden: You don't have permission to access this resource. Reason: Cannot perform Post-Handshake Authentication

166 views
Skip to first unread message

Kaushik Ramnath Ganesan

unread,
Mar 31, 2021, 6:28:33 PMMar 31
to modwsgi
I have a problem using SSL certificate in a dockerized Django application. I used the commands given by Graham to create SSL certificates in https://gist.github.com/GrahamDumpleton/b79d336569054882679e. I copied these certificates and pasted those files in a folder called "ssl_certs". If I run the docker now using the below commands I get " Post-Handshake Authentication" error when I call https://localhost:8443/.

1. How to resolve this error? 
2. Is there any way to create an SSL certificate using Dockerfile commands in Dockerfile and make Django use these certificates after I build and run the docker container?

Docker build and run commands:
      1. Build command
: docker build -t ssl-api .
      2. Run command: docker run -it -p 8443:8443 ssl-api

Dockerfile:
FROM python:3

RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen
ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-
COPY ./requirements.txt /requirements.txt
RUN pip install --no-cache-dir -r /requirements.txt
WORKDIR /opt/app-root
COPY . /opt/app-root

EXPOSE 8443

CMD ["mod_wsgi-express", "start-server","--threads","20","--processes","5","--user","www-data", "--group", "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" , "--https-port" ,"8443" ,"--https-only" ,"--server-name" ,"Kaushik", "--allow-localhost" ,"--ssl-certificate-file" ,"/opt/app-root/ssl_certs/server.crt", "--ssl-certificate-key-file", "/opt/app-root/ssl_certs/server.key" ,"--ssl-ca-certificate-file" ,"/opt/app-root/ssl_certs/ca.crt"]

LOGS:
Server URL         : http://Kaushik:8000/
Server URL (HTTPS) : https://Kaushik:8443/
Server Root        : /tmp/mod_wsgi-localhost:8000:0
Server Conf        : /tmp/mod_wsgi-localhost:8000:0/httpd.conf
Error Log File     : /dev/stderr (warn)
Startup Log File   : /dev/stderr
Request Capacity   : 100 (5 processes * 20 threads)
Request Timeout    : 60 (seconds)
Startup Timeout    : 15 (seconds)
Queue Backlog      : 100 (connections)
Queue Timeout      : 45 (seconds)
Server Capacity    : 170 (event/worker), 160 (prefork)
Server Backlog     : 500 (connections)
Locale Setting     : en_US.UTF-8
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-)
[Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name
[Wed Mar 31 17:32:28.663192 2021] [ssl:warn] [pid 1:tid 139700681196672] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Mar 31 17:32:28.664060 2021] [ssl:warn] [pid 1:tid 139700681196672] AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name
[Wed Mar 31 17:32:28.665207 2021] [mpm_event:notice] [pid 1:tid 139700681196672] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 OpenSSL/1.1.1d configured -- resuming normal ope
rations
[Wed Mar 31 17:32:28.665241 2021] [core:notice] [pid 1:tid 139700681196672] AH00094: Command line: 'apache2 (mod_wsgi-express) -f /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr
-D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_VERIFY_CLIENT -D MOD_WSGI_HTTPS_ONLY -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -
D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND'
[Wed Mar 31 17:32:33.221933 2021] [ssl:error] [pid 15:tid 139700669671168] [client 172.17.0.1:39750] AH10129: verify client post handshake
[Wed Mar 31 17:32:33.221977 2021] [ssl:error] [pid 15:tid 139700669671168] [client 172.17.0.1:39750] AH10158: cannot perform post-handshake authentication
[Wed Mar 31 17:32:33.222028 2021] [ssl:error] [pid 15:tid 139700669671168] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
[Wed Mar 31 17:32:33.383493 2021] [ssl:error] [pid 15:tid 139700669138688] [client 172.17.0.1:39762] AH10129: verify client post handshake, referer: https://localhost:8443/
[Wed Mar 31 17:32:33.383556 2021] [ssl:error] [pid 15:tid 139700669138688] [client 172.17.0.1:39762] AH10158: cannot perform post-handshake authentication, referer: https://localhost:8443
/
[Wed Mar 31 17:32:33.383606 2021] [ssl:error] [pid 15:tid 139700669138688] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

Graham Dumpleton

unread,
Mar 31, 2021, 6:41:53 PMMar 31
to mod...@googlegroups.com
For a start, the value given to --server-name should be a fully qualified host name matching what you used to create the certificate. What you are using is invalid and the source of the error:

[Wed Mar 31 17:32:28.659790 2021] [ssl:warn] [pid 1:tid 139700681196672] AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name

Your locale setting is also wrong. You have:

LC_ALL=en_US.UTF-

and are missing the '8' at the end. This is the source of the error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-)

The main problem though is that the specific recipe you are following is for when you want to require a client certificate be used with a site. It is not correct way of doing things for a general public web site.

Were you specifically want users access it to have to have the client certificate. Right now you aren't using the client side certificate and why you probably get the errors.

Graham

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/5ad0acbf-a933-4aa5-b7d9-002a8858103bn%40googlegroups.com.

Kaushik Ramnath Ganesan

unread,
Apr 1, 2021, 12:16:59 PMApr 1
to modwsgi
I have made the changes you have suggested above.

1. I created new certificates with the server name  127.0.0.1.nip.io. Also changed the server name in the Django API to 127.0.0.1.nip.io and the API works fine. But I still get this warning ( AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name). Should I be worried about this warning?
2. The Django API work fine without --ssl-ca-certificate-file opt/app-root/ssl_certs/ca.crt but when I include the client certificate it throws the post-handshake error. Do I have to buy an SSL certificate from valid providers like AWS or Let's encrypt to make this client certificate error go away?

For your reference:


Docker build and run commands:
      1. Build command
: docker build -t ssl-api .
      2. Run command: docker run -it -p 443:443 ssl-api

Dockerfile:

FROM python:3

RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen
ENV LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8

COPY ./requirements.txt /requirements.txt
RUN pip install --no-cache-dir -r /requirements.txt
WORKDIR /opt/app-root
COPY . /opt/app-root

EXPOSE 443

CMD ["mod_wsgi-express", "start-server","--threads","20","--processes","5","--user","www-data", "--group", "www-data","--log-to-terminal","/opt/app-root/mysite/wsgi.py","--startup-log" , "--https-port" ,"443" , "--server-name" ,"127.0.0.1.nip.io", "--allow-localhost" ,"--ssl-certificate-file" ,"/opt/app-root/ssl-certs-1/server.crt", "--ssl-certificate-key-file", "/opt/app-root/ssl-certs-1/server.key"]

LOGS:
Server URL         : http://127.0.0.1.nip.io:8000/
Server URL (HTTPS) : https://127.0.0.1.nip.io/
Server Root        : /tmp/mod_wsgi-localhost:8000:0
Server Conf        : /tmp/mod_wsgi-localhost:8000:0/httpd.conf
Error Log File     : /dev/stderr (warn)
Startup Log File   : /dev/stderr
Request Capacity   : 100 (5 processes * 20 threads)
Request Timeout    : 60 (seconds)
Startup Timeout    : 15 (seconds)
Queue Backlog      : 100 (connections)
Queue Timeout      : 45 (seconds)
Server Capacity    : 170 (event/worker), 160 (prefork)
Server Backlog     : 500 (connections)
Locale Setting     : en_US.UTF-8
[Thu Apr 01 16:08:00.161434 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Apr 01 16:08:00.165326 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Thu Apr 01 16:08:00.165890 2021] [ssl:warn] [pid 1:tid 140009763792000] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Thu Apr 01 16:08:00.167043 2021] [mpm_event:notice] [pid 1:tid 140009763792000] AH00489: Apache/2.4.38 (Debian) mod_wsgi/4.7.1 Python/3.9 OpenSSL/1.1.1d configured -- resuming normal operations
[Thu Apr 01 16:08:00.167074 2021] [core:notice] [pid 1:tid 140009763792000] AH00094: Command line: 'apache2 (mod_wsgi-express) -f /tmp/mod_wsgi-localhost:8000:0/httpd.conf -E /dev/stderr -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_ALLOW_LOCALHOST -D MOD_WSGI_MULTIPROCESS -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND'

Graham Dumpleton

unread,
Apr 6, 2021, 12:42:00 AMApr 6
to mod...@googlegroups.com

On 2 Apr 2021, at 3:16 am, Kaushik Ramnath Ganesan <kaushik...@gmail.com> wrote:

I have made the changes you have suggested above. 

1. I created new certificates with the server name  127.0.0.1.nip.io. Also changed the server name in the Django API to 127.0.0.1.nip.io and the API works fine. But I still get this warning ( AH01909: localhost:8443:0 server certificate does NOT include an ID which matches the server name). Should I be worried about this warning?

It is hard to say as you don't show how you generated the certificate. It is unclear if you are still using a method which generates a client certificate as part of the requirement when you shouldn't. That gist you linked isn't how you should be generating it.

2. The Django API work fine without --ssl-ca-certificate-file opt/app-root/ssl_certs/ca.crt but when I include the client certificate it throws the post-handshake error. Do I have to buy an SSL certificate from valid providers like AWS or Let's encrypt to make this client certificate error go away?

You definitely don't usually want to be requiring a client certificate.

The only issue with generating a certificate yourself is that it will be a self signed certificate, in which case people will have to indicate they trust your certificate, or you need to provide them with a certificate authority file for the browser to trust.

So self signed certificates can work, but for public sites these days better off using lets encrypt to generate certificates.


Reply all
Reply to author
Forward
0 new messages