I freely admit that I don't understand how https, SSL, and public key
infrastructure works. It doesn't seem like it should be hard to use
but whenever I try, things don't work.
For instance, I wanted to access the admin interface for my web2py
application on a remote host. My thought was that I don't need to buy
an SSL certificate because I trust myself, for the most part. The
web2py command line allows the user to specify an SSL certificate (-c)
and a private key (-k). I figured one of these would work.
So I made a self-signed certificate according to some instructions I
found online:
openssl genrsa -des3 -out server.key 1024
server.key is a private key
openssl req -new -key server.key -out server.csr
server.csr is a certificate signing request
cp server.key server.key.org
save off the server key
openssl rsa -in server.key.org -out server.key
create a derivative key that doesn't need a passphrase
openssl rsa -in server.key.org -out server.key
create the self-signed certificate, server.crt
Then I used the certificate to start the rocket server:
python web2py.py -p 8001 -a '<recycle>' -c server.crt
But when I tried to access the page:
https://127.0.0.1:8001
I get a browser error:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Since I don't know what I"m doing, I tried some experiments:
python web2py.py -p 8001 -a '<recycle>' -k server.key
and
python web2py.py -p 8001 -a '<recycle>' -c server.crt -k server.key
all to no avail.
Thinking that maybe the browser (Chrome) doesn't know to trust the
certificate, I went to the preferences window -> https/ssl -> manage
certificates... which launches Keychain Access on my Macintosh. I
tried to import the new self-signed certificate into Keychain Access
so that I could mark it as trusted but I got an error (the not very
helpful: "an error has occurred. Unable to import an item." with
nothing logged in the console)
So I tried it the other way. I created a certificate in Keychain
access, marked it trusted for SSL and then exported it. I used the
certificate to start the browser:
python web2py.py -p 8001 -a '<recycle>' -c new.crt
Again failure.
So what am I doing wrong?
As a bonus question, is there a place to go learn about these issues?
I've looked around and I can't find either a website or a book that
can explain to me how SSL, CAs, and PKI works. The information must be
out there, maybe even in a gentle, understandable form.
