0
Under review

Custom SSL problems

Gabriel Baker 6 years ago updated by Eugene Pankov (Project coordinator) 6 years ago 11
Trying to use a real ssl certificate with ajenti, I have the private key, site certificate, intermidiate and root certificates which I use fine on apache, but when trying to combine into a single pem for ajenti to use the website is always unavailable with this error appearing in the logs

Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/gevent/greenlet.py", line 327, in run
result = self._run(*self.args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/gevent/server.py", line 102, in wrap_socket_and_handle
ssl_socket = self.wrap_socket(client_socket, **self.ssl_args)
File "/usr/lib/python2.7/dist-packages/gevent/ssl.py", line 383, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python2.7/dist-packages/gevent/ssl.py", line 94, in __init__
self.do_handshake()
File "/usr/lib/python2.7/dist-packages/gevent/ssl.py", line 305, in do_handshake
return self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
<Greenlet at 0x7f816fe35eb0: <bound method SocketIOServer.wrap_socket_and_handle of <SocketIOServer at 0x7f816f7fca50 fileno=8 address=0.0.0.0:8000>>(<socket at 0x7f816f674210 fileno=12 sock=178.62.19, ('82.7.176.154', 55731))> failed with SSLError

Under review
It's a stupid question, but are you actually using a https:// URL? At least the error code suggest that you might be trying to open it with http://.
Sorry I realised I'd pasted the wrong error message, have fixed it now
Does the same server+browser configuration work with a self-signed certificate generated by Ajenti?
yes, it's just when trying to combine the custom cert into a pem for ajenti, openssl validates it on the command line `openssl x509 -in certname.pem -inform pem -noout -text`
Please test SSL status with https://www.ssllabs.com/ssltest/ (if your server is accessible from the web)
https://www.ssllabs.com/ssltest/analyze.html?d=prowl.autonomicpilot.co.uk is the same cert but on a different server and not combined into a single cert
Is it possible to run the test exactly on Ajenti with the combined certificate?
Also, see: https://bbs.arkos.io/t/problem-with-ssl-and-startssl/328/2
I've tried combining all 4 files into one
priv.key
domain.crt
intermediate.pem
root.pem

but alas, no luck, I'll go and post on startssl and see if they've got a tool for combining it, is it possible the ssl engine in python can't handle it for some reason?

The `no shared cipher` bit is strange.

If I get ajenti running with the generated unsigned cert can I configure nginx from within it to host it? Sounds a bit dodgy
Have you checked the presence of newlines between PEM parts as suggested in the linked answer?
Have you had any luck with the certificate so far? Arkos is in fact an Ajenti-based software, and the problem reported in the above link looks identical to yours.