search

django / daphne

Django Channels HTTP/WebSocket server
BSD 3-Clause "New" or "Revised" License
2.37k stars 266 forks source link

Password protected privatekey for lets encrypt cert #377

Closed MuhammadZeeshan34 closed 2 years ago

MuhammadZeeshan34 commented 3 years ago

Hi,

I am using daphne to serve django channels ( websockets ). Nginx and gunicorn both are configured to serve securely using SSL.

I am running into the error while configuring SSL with the daphne. I have provided the privateKey and certKey paths while starting the daphne service. However, there is no option to pass the passphrase as per twisted documentation

My privateKey and certKey are protected by the key that is why daphne serve is unable to start and I am getting this error.

This is how I am passing the ssl cert and private key in my daphne.service

_ExecStart=/home/bs/es/bs/bin/python /home/bs/es/bs/bin/daphne -e ssl:8001:privateKey=/etc/ssl/certs/www.bs.com.key:certKey=/etc/ssl/certs/www_bs_com.crt es.asgi:application_

This is the error log from daphne

Traceback (most recent call last): File "/home/bs/es/es/bin/daphne", line 8, in sys.exit(CommandLineInterface.entrypoint()) File "/home/bs/es/bs/lib/python3.8/site-packages/daphne/cli.py", line 191, in entrypoint cls().run(sys.argv[1:]) File "/home/bs/es/bs/lib/python3.8/site-packages/daphne/cli.py", line 311, in run self.server.run() File "/home/bs/es/bs/lib/python3.8/site-packages/daphne/server.py", line 120, in run ep = serverFromString(reactor, str(socket_description)) File "/home/bs/es/bs/lib/python3.8/site-packages/twisted/internet/endpoints.py", line 1731, in serverFromString nameOrPlugin, args, kw = _parseServer(description, None) File "/home/bs/es/bs/lib/python3.8/site-packages/twisted/internet/endpoints.py", line 1652, in _parseServer return (endpointType.upper(),) + parser(factory, *args[1:], **kw) File "/home/bs/es/bs/lib/python3.8/site-packages/twisted/internet/endpoints.py", line 1385, in _parseSSL privateCertificate = ssl.PrivateCertificate.loadPEM( File "/home/bs/es/bs/lib/python3.8/site-packages/twisted/internet/_sslverify.py", line 672, in loadPEM return Class.load(data, KeyPair.load(data, crypto.FILETYPE_PEM), File "/home/bs/es/bs/lib/python3.8/site-packages/twisted/internet/_sslverify.py", line 806, in load return Class(crypto.load_privatekey(format, data)) File "/home/bs/es/bs/lib/python3.8/site-packages/OpenSSL/crypto.py", line 2739, in load_privatekey _raise_current_error() File "/home/bs/es/bs/lib/python3.8/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue raise exception_type(errors) OpenSSL.crypto.Error: [('UI routines', 'UI_process', 'processing error'), ('PEM routines', 'PEM_def_callback', 'problems getting password'), ('PEM routines', 'PEM_do_header', 'bad password read')]

Any suggestions or mitigations to fix this? Thanks

carltongibson commented 3 years ago

It looks like there's a long standing open issue for this.

https://www.twistedmatrix.com/trac/ticket/3516

I'd suggested asking on the twisted mailing list, what the suggested approach is.

apollo13 commented 2 years ago

Given that there is nothing we can do about this in daphne I am closing this issue. I also do not think it would be a good idea to supply specifying the passphrase via -e, this would leak via the process list and would be visible to all users on the system.