There are scripts for setting up web2py on Ubuntu with Apache (http://code.google.com/p/web2py/source/browse/scripts/setup-web2py-ubuntu.sh) and Nginx/uwsgi (http://code.google.com/p/web2py/source/browse/scripts/setup-web2py-nginx-uwsgi-ubuntu.sh), both of which include commands for creating a self-signed certificate using OpenSSL -- perhaps you can look at them for some guidance.
Anthony On Thursday, March 1, 2012 8:48:08 PM UTC-5, David Phillips wrote: > > I freely admit that I don't understand how https, SSL, and public key > infrastructure works. It doesn't seem like it should be hard to use > but whenever I try, things don't work. > > For instance, I wanted to access the admin interface for my web2py > application on a remote host. My thought was that I don't need to buy > an SSL certificate because I trust myself, for the most part. The > web2py command line allows the user to specify an SSL certificate (-c) > and a private key (-k). I figured one of these would work. > > So I made a self-signed certificate according to some instructions I > found online: > > openssl genrsa -des3 -out server.key 1024 > server.key is a private key > openssl req -new -key server.key -out server.csr > server.csr is a certificate signing request > cp server.key server.key.org > save off the server key > openssl rsa -in server.key.org -out server.key > create a derivative key that doesn't need a passphrase > openssl rsa -in server.key.org -out server.key > create the self-signed certificate, server.crt > > Then I used the certificate to start the rocket server: > python web2py.py -p 8001 -a '<recycle>' -c server.crt > > But when I tried to access the page: > https://127.0.0.1:8001 > I get a browser error: > Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error. > > Since I don't know what I"m doing, I tried some experiments: > python web2py.py -p 8001 -a '<recycle>' -k server.key > > and > > python web2py.py -p 8001 -a '<recycle>' -c server.crt -k > server.key > > all to no avail. > > Thinking that maybe the browser (Chrome) doesn't know to trust the > certificate, I went to the preferences window -> https/ssl -> manage > certificates... which launches Keychain Access on my Macintosh. I > tried to import the new self-signed certificate into Keychain Access > so that I could mark it as trusted but I got an error (the not very > helpful: "an error has occurred. Unable to import an item." with > nothing logged in the console) > > So I tried it the other way. I created a certificate in Keychain > access, marked it trusted for SSL and then exported it. I used the > certificate to start the browser: > > python web2py.py -p 8001 -a '<recycle>' -c new.crt > > Again failure. > > So what am I doing wrong? > > As a bonus question, is there a place to go learn about these issues? > I've looked around and I can't find either a website or a book that > can explain to me how SSL, CAs, and PKI works. The information must be > out there, maybe even in a gentle, understandable form.