search

Kozea / Radicale

A simple CalDAV (calendar) and CardDAV (contact) server.
https://radicale.org
GNU General Public License v3.0
3.36k stars 437 forks source link

ssl.SSLError: [SSL] PEM lib (_ssl.c:3874) #1608

Closed D4QP closed 2 weeks ago

D4QP commented 2 weeks ago

My SSD on my raspberry pi gave up, so I had to set up a new system with bookworm which probably means I went from radicale 2 to 3. I (hopefully) copied over all relevant radicale files and installed radicale from the repo (v3). Now I am stuck with running radicale. I get the output below. I already checked the certfile and keyfile access rights. Also tried with a new pair of cert and keyfile, but no success. Are there any other files except for the cert and key file that could play into the error?

[2024-10-27 12:22:59 +0100] [1642] [INFO] Starting Radicale
[2024-10-27 12:22:59 +0100] [1642] [INFO] auth type is 'radicale.auth.htpasswd'
[2024-10-27 12:23:00 +0100] [1642] [INFO] storage type is 'radicale.storage.multifilesystem'
[2024-10-27 12:23:00 +0100] [1642] [INFO] rights type is 'radicale.rights.owner_only'
[2024-10-27 12:23:00 +0100] [1642] [INFO] web type is 'radicale.web.internal'
[2024-10-27 12:23:00 +0100] [1642] [CRITICAL] An exception occurred during server startup: Failed to start server '[0.0.0.0]:5232': [SSL] PEM lib (_ssl.c:3874)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/radicale/server.py", line 288, in serve
    server = server_class(configuration, family, address,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/radicale/server.py", line 84, in __init__
    super().__init__(address, RequestHandlerClass)
  File "/usr/lib/python3.11/socketserver.py", line 456, in __init__
    self.server_bind()
  File "/usr/lib/python3/dist-packages/radicale/server.py", line 178, in server_bind
    context.load_cert_chain(certfile=certfile, keyfile=keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3874)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/radicale/__main__.py", line 198, in run
    server.serve(configuration, shutdown_socket_out)
  File "/usr/lib/python3/dist-packages/radicale/server.py", line 312, in serve
    raise RuntimeError("Failed to start server %r: %s" % (
RuntimeError: Failed to start server '[0.0.0.0]:5232': [SSL] PEM lib (_ssl.c:3874)
pbiering commented 2 weeks ago

can you confirm that you can as same user as radicale is proposed to run a TLS server socket can be started with using the same certificates?

## Example:
openssl s_server -key test-radicale.key -cert test-radicale.pem -port 12345
Using default temp DH parameters
ACCEPT

If not, investigate created certificate and/or key file.

D4QP commented 2 weeks ago

Hi, when running the command suggested by you, I get the same response (ACCEPT).

pbiering commented 2 weeks ago

Hi, when running the command suggested by you, I get the same response (ACCEPT).

Ok, so key+cert are ok, can you please check format of the certificate file

radicale only supports PEM encoded certificates

## Good (example suffix .pem)
file test-radicale.pem
test-radicale.pem: PEM certificate

grep BEGIN test-radicale.pem  | wc -l
1

## Not supported (example suffix: .cer)
file test-radicale.cer
test-radicale.cer: Certificate, Version=3

Conversion can be done by

## Example (.cer -> .pem)
openssl x509 -in test-radicale.cer -outform pem  -out test-radicale.pem
pbiering commented 2 weeks ago

and can you please enable debug log and send output?

pbiering commented 2 weeks ago

also update to latest version from master, please.

D4QP commented 2 weeks ago

The PEM check yields the same results as in your example for "good". The provided output in my first post is with log level "debug" already. Is there any additional file where information is logged?

Hmm, I am a bit hesitant to move away from the standard repo package. But if nothing else helps, then I guess I have no choice...

pbiering commented 2 weeks ago

The PEM check yields the same results as in your example for "good". The provided output in my first post is with log level "debug" already. Is there any additional file where information is logged?

No, radicale major version 3 only logs to stdout.

Hmm, I am a bit hesitant to move away from the standard repo package. But if nothing else helps, then I guess I have no choice...

Which "standard repo" package has still 3.1.x, while there is already 3.3.0 available and some 3.2.x releases inbetween?

Can you confirm it's starting without enabling TLS, e.g. on CLI with additional option --server-ssl=false?

Can you replay this using local generated certificates like

# as the user which runs radicale:
openssl genpkey -algorithm rsa -out test.key
openssl req -days 5 -new -x509 -key test.key -subj "/CN=test" -out test.pem
radicale --server-ssl=True --server-certificate test.pem --server-key test.key --logging-level=debug

If working well, something is strange with your key/certificate. If not, something is very strange related to your Python SSL library imho.

D4QP commented 2 weeks ago

Yes, the replay results in a running server. I will look into the certificate generation again.

D4QP commented 2 weeks ago

OMG, I found my mistake.... I used to start radicale with radicale -c <path to config file> instead of radicale -C <path to config file>

Now it runs even with the original key/certificate pair.

Thanks so much for your help! I really appreciate it.