SSL error: sslv3 alert certificate unknown

I’m running crossbar on Windows Server 2012 R2 with Python 3.8 and I need to use Pub/Sub websocket. Connections (from AutobahnJS) with ws: protocol work with no problem, but when I try to connect via wss: there is this error in the server console:

[Router 4492] SSL error: sslv3 alert certificate unknown (in ssl3_read_bytes)

I’m using Letsencrypt certificate which works OK in IIS on that machine. Relevant part of the config.json:

{
	"type": "websocket",
	"endpoint": {
		"type": "tcp",
		"port": 9443,
		"tls": {
			"key": "e:\\certificates\\key.pem",
			"certificate": "e:\\certificates\\crt.pem",
			"chain_certificates": [
				"e:\\certificates\\chain.pem"
			],
			"ca_certificates": ["e:\\certificates\\cacert.pem"],
			"dhparam": "dhparam.pem",
			"ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
		}
	}
},
{
	"type": "websocket",
	"endpoint": {
	"type": "tcp",
	"port": 9080
	}
}

Does anybody have a suggestion what could be wrong? I’ve been banging my head over this for the past two days and I’m out of ideas. Thank you.

Have you tried connecting to the router from plain openssl as a client?

obviously openssl doesn’t talk WAMP or WebSocket, but TLS, and that’s what’s being a problem here … so

It turned out to be a problem with dhparam.pem. I have copied my .crossbar directory from another machine and only changed the certificate and key files appropriate for the new installation. I kept the original dhparam.pem and that’s what was confusing ssl routines. After generating new dhparam.pem on the new machine everything works as expected.

Thanks for following up. Was it just a formatting thing? It seems like either we should produce a proper error-message in this case – or Twisted should. Do you have an example of a dhparam that didn’t work?

Format of the file seems to be OK. Problem might be that it was created on another computer, with different version of Openssl, but that’s just a wild guess.

-----BEGIN DH PARAMETERS----- MIICCAKCAgEAvnGEI5+hy3O8mGXNUBtchoQbow2oFXiGewOjkEB0ZvpVVSADs5ng yCXybArUFw4AciFAxIUJ0aOS4QEv3knDJ7giboiC0Ropli5iojeFcKk1nC6QNRpw RN8uIOeWJWmxqv394PJYXYA7cOrdHqgSDkdA9/bQHdwvM7Kmwv/ZF7H91tMCe9QB czNlslYRo+rtUU9vZgtJNK/yZ6DvCpLOiEwR2IRzrITHOe3NbEnSRm4lKUcK3HCV 4kJaOvuD0vQO/PQ489soZSZBaJjO68TZ+U9R5t0i2Z3s332C7hp/+pA3tVozfQg9 btHbELE2qHiHbDw/UqzROT/xg4Kgm3xZICOuG/GkP5HDMwvc96a895KDhOavFyen KS+xRdeUX56QHJqCZJU53i28Ne40Bw1jq4RU1fZmlx2CsgraM7f0LtgDKvVy+hT8 x6Le4PwZfhqzseGWofmlZ6t3S8ZoQLCDBfVJUR5mEZwSJ9TRjoGysAE8675R0boC ++3ryASipJQZU7jnGTBLS6UgYurtHcuzVlE5k3Fy9UUjNC9Abq/WyUcv0xk1LQFt e2yQpkoQkauQMBiSa5BXwELMxEbVJfT4w9JGrN0p0qPWNqrytHzxqFlf1A+ODPq6 ne/p6dwX4aTG0cRVUwuhh+bdqBNix91d089R6Jxgx24BhVaiz4Ta9IsCAQI= -----END DH PARAMETERS-----

This is super weird. thanks for the info! good to know there is a trap wrt to copying dhparam files around (which one should definitely not do for production anyways, but …) …