CherryPy failing to launch with local test certificates

[RudolfCardinal]

With an old or a new self-signed certificate and camcops_server serve_cherrypy, which used to work fine, after an upgrade to Ubuntu 22.04.2 LTS (but a clean CamCOPS venv installation), I'm getting:

2023-04-29 16:05:12.756 [p1210581.t140646515499008] cherrypy.error:INFO: [29/Apr/2023:16:05:12] ENGINE Bus STARTING
[29/Apr/2023:16:05:12] ENGINE Started monitor thread 'Autoreloader'.
2023-04-29 16:05:12.756 [p1210581.t140646515499008] cherrypy.error:INFO: [29/Apr/2023:16:05:12] ENGINE Started monitor thread 'Autoreloader'.
[29/Apr/2023:16:05:12] ENGINE Serving on https://127.0.0.1:8088
2023-04-29 16:05:12.866 [p1210581.t140646515499008] cherrypy.error:INFO: [29/Apr/2023:16:05:12] ENGINE Serving on https://127.0.0.1:8088
[29/Apr/2023:16:05:12] ENGINE Bus STARTED
2023-04-29 16:05:12.866 [p1210581.t140646515499008] cherrypy.error:INFO: [29/Apr/2023:16:05:12] ENGINE Bus STARTED
[29/Apr/2023:16:05:12] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/home/rudolf/dev/venvs/camcops/lib/python3.10/site-packages/cheroot/server.py", line 1807, in serve
    self._connections.run(self.expiration_interval)
  File "/home/rudolf/dev/venvs/camcops/lib/python3.10/site-packages/cheroot/connections.py", line 198, in run
    self._run(expiration_interval)
  File "/home/rudolf/dev/venvs/camcops/lib/python3.10/site-packages/cheroot/connections.py", line 241, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/home/rudolf/dev/venvs/camcops/lib/python3.10/site-packages/cheroot/connections.py", line 295, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/rudolf/dev/venvs/camcops/lib/python3.10/site-packages/cheroot/ssl/builtin.py", line 270, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:997)

Gunicorn works fine with the same SSL certificates. Martin, have you seen this? An upgrade to the latest version of CherryPy made no difference.

[martinburchell]

@RudolfCardinal I'm running 20.04 / python 3.8 so I've tried to reproduce this in a GitHub workflow on the cherrypy-ubuntu22.04 branch but it seems to be working. See https://github.com/ucam-department-of-psychiatry/camcops/actions/runs/4924867021/jobs/8798419561

[martinburchell]

@RudolfCardinal which version of OpenSSL are you using?

[RudolfCardinal]

It's failed on two machines so far, both recently upgraded; one is out of commission but on the other: Ubuntu 22.04.2 LTS with openssl version returning:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

[martinburchell]

It's failed on two machines so far, both recently upgraded; one is out of commission but on the other: Ubuntu 22.04.2 LTS with openssl version returning:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The GitHub workflow reports the same https://github.com/ucam-department-of-psychiatry/camcops/actions/runs/4979371839/jobs/8910877312.

I wonder if it is somehow set up differently. Is there something stale in /etc/ssl/openssl.cnf?

[RudolfCardinal]

This is odd. It looks like /etc/ssl/openssl.conf is the same, e.g. via the debdiffconf script at https://unix.stackexchange.com/questions/72746/ (tweaked to report no differences explicitly), debdiffconf /etc/ssl/openssl.conf gives

Trying openssl...
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 openssl amd64 3.0.2-0ubuntu1.9 [1,185 kB]
Fetched 1,185 kB in 0s (13.0 MB/s)
Found in openssl
No differences found.