Crossbar/Autobahn SSL Error

#1

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#2

Here is the output of crossbar version

Crossbar.io : 17.8.1.post1 (Crossbar.io COMMUNITY)

Autobahn : 17.8.1 (with JSON, MessagePack, CBOR, UBJSON)

Twisted : 17.5.0-EPollReactor

LMDB : 0.93/lmdb-0.9.18

Python : 3.5.2/CPython

OS : Linux-4.4.0-21-generic-x86_64-with-LinuxMint-18-sarah

Machine : x86_64

Release key : RWS7C+EWC0+LY3r7v/QTHDcJpdzmdXAZy2V7fms08hz6UP4AeS83/B3w

···

On Saturday, October 21, 2017 at 5:17:03 PM UTC-7, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#3

Looks like an issue with recognising the LetsEncrypt CA. Can you confirm it is installed in the system-wide location and not some Apache-specific one? Can you test the certs with another HTTP server like Lighttp or nginx?

···

On Sunday, October 22, 2017 at 2:17:03 AM UTC+2, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#4

It is doing this with LetsEncrypt on my test/develop machine (Mint 18) and with a CA from Comodo on my production server (Ubuntu 16.04)

The cert files are located in /etc/apache2/ssl but I have confirmed there is correct permissions giving Crossbar and Autobahn access to the files.

Apache loads them and my Javascript clients make a complete websocket connection over ssl to the server but a python based client making connection against the same Crossbar instance throws the error I showed. The running crossbar instance throws that error.

I don’t have an easy way to test another HTTP server at the moment, but I don’t really see how that would apply as it’s unrelated to Apache and further more if I switch the files out to the self signed cert files, in the same location, it all works correctly. Except for the browser warnings of course.

···

On Saturday, October 21, 2017 at 5:17:03 PM UTC-7, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#5

I’m not understanding why Apache and Python can load the same cert and Crossbar throws an error over one and not the other.

The error, obviously, is coming from OpenSSL but why? Do I have some incompatible version of a package?

···

On Saturday, October 21, 2017 at 5:17:03 PM UTC-7, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#6

The issue is not the certificate I think. I think the issue is the CA store on your machine.

See https://askubuntu.com/questions/183328/where-are-pem-files-stored-for-validating-ssl-certificates

Can you check in /etc/ssl/certs and /usr/share/ca-certificates on both machines to confirm that the correct PEM files for the relevant CAs are available?

If the PEM files for the CAs are not installed locally then OpenSSL will not be able to validate certificates.

Have you tried using the Certs with something besides Apache/Python (How you using Python with Apache btw?) or Crossbar?

···

On Sunday, October 22, 2017 at 8:10:29 AM UTC+2, Trendal Toews wrote:

I’m not understanding why Apache and Python can load the same cert and Crossbar throws an error over one and not the other.

The error, obviously, is coming from OpenSSL but why? Do I have some incompatible version of a package?

On Saturday, October 21, 2017 at 5:17:03 PM UTC-7, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#7

I have to admit I’m relatively new in dealing with this (SSL/TLS) in application code. So I don’t think I’m understanding something here.

I have Apache serving a web application, typical PHP/HTML/Javascript web app. I have Crossbar running simply for a websocket server so I can use the Autobahn Javascript client in a Pub/Sub fashion to keep my web app clients in sync.

This is a local onsite app, so I have hardware/sensors deployed that generate data streams that I collect with services running on the same host as Apache. Those services are wrote in python and I would like to use Autobahn to push the data streams to my web clients via websockets.

The web application stuff is working, clients are synced via subscribing and publishing, but the python services are not able to connect to the Crossbar instance because the SSL is breaking.

I do not have any PEM files. Now I think I understand that PEM is just the .crt and .key files combined, in the correct format of course, correct?

I have the .crt and .key files stored in /etc/apache2/ssl/ so Apache can access them. My Crossbar config file is also pointed at those same files, actually I am using a symlink to keep the applicatio code consistent across future file locations, but that shouldn’t be effecting anything.

Since these collector scripts I am writing are on the same host as everything else, I am pointing them to the same .crt as well. Here is the actual setup in the python script:

cert = crypto.load_certificate(

crypto.FILETYPE_PEM,

six.u(open("…/…/tls/server.crt", ‘r’).read())

)

``

where …/…/tls/server.crt is the same exact file path that Crossbar is using for the .crt file as well as Apache.

So, maybe there is some mis-understanding on my part here, very likely. If I need a better crash course on SSL just tell me so.

···

On Saturday, October 21, 2017 at 5:17:03 PM UTC-7, Trendal Toews wrote:

I’m having trouble getting Crossbar to accept connections from python using Autobahn over SSL.

OS Ubuntu 16.04 / Mint 18

Crossbar 17.8.1.post1

OpenSSL 1.0.2g Mar 2016

Autobahn 17.8.1

Python 3

Ubuntu 16.04 is using signed certs from Comodo, Mint 18 (my test platform) is using LetsEncrypt certs. If I use the (Apache) self signed certs everything works.

Crossbar and HTML/Javascript Autobahn clients work well, but when I try to use Autobahn in a python client I get the following error from Crossbar with debug loglevel. (3rd and 4th line below)

The python scripts are running on the host that Crossbar is running on, pointed to the same certs and I verified that there is no permission issues, I can print the certs out in the python scripts.

If this is a bug, I’d like to dig it out, if it’s something I’m doing wrong, I’d like to know because I’ve spent many hours on it already and have not reached any conclusion.

crossbar.router.protocol.WampWebSocketServerProtocol] connection accepted from peer tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection made to tcp4:192.168.0.2:48922

crossbar.router.protocol.WampWebSocketServerProtocol] Connection to/from tcp4:192.168.0.2:48922 lost (<class ‘OpenSSL.SSL.Error’>): [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)])

crossbar.router.protocol.WampWebSocketServerProtocol] _connectionLost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert unknown ca’)]

Thanks.

0 Likes

#8

You are misunderstanding a key part of how SSL works. Please read up on Certificate Authorities and what is meant when I say “the local CA store”. Without the CA PEM files your machine will not be able to validate a certificate.

0 Likes

#9

I will do that, thank you.

0 Likes

#10

I’m beginning to understand the missing part now.

Unfortunately, I don’t have time to work through this issue and make it work, so I’m going to move the project along without using websockets on my collectors. I’m sure I will be revisiting this sometime within the next year.

0 Likes