Home > Blockchain >  Serving over HTTPS with Gunicorn/Flask: ERR_CERT_AUTHORITY_INVALID
Serving over HTTPS with Gunicorn/Flask: ERR_CERT_AUTHORITY_INVALID

Time:02-01

Looking for a quick way to serve an API over HTTPS for testing purposes. The API app is created using flask and being served on port 443 using gunicorn.

gunicorn --certfile=server.crt --keyfile=server.key --bind 0.0.0.0:443 wsgi:app

When my React app (served over HTTPS) sends a POST request to one of the routes via HTTPS, the browser console is showing

POST https://1.2.3.4/foo net::ERR_CERT_AUTHORITY_INVALID

My key and certs are created using

openssl genrsa -aes128 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -days 365 -key server.key -out server.csr
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Is there a solution to solve ERR_CERT_AUTHORITY_INVALID raised by the browser, without using a reverse proxy like nginx/caddy? And without each user having to manually trust the self-signed cert?

CodePudding user response:

Your browser/computer/device need to trust the certificate presented by gunicorn... You should add the hostname of your PC in the certificate (Common name or Subject Alternative Name) and add the Certificate to your Trusted List of Certificates

CodePudding user response:

i ran into a similar problem recently on firefox creating the cert using open ssl. i opted for an alternative solution using mkcert

sudo apt install libnss3-tools
sudo apt install mkcert
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64
sudo cp mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
sudo chmod  x /usr/local/bin/mkcert
mkcert -install
mkcert test.example.com '*.test.example.com' localhost 127.0.0.1 ::1

you'll want to modify /etc/hosts to include test.example.com

127.0.0.1       localhost test.example.com

don't forget to logout and log back in to update changes in hosts

if firefox still complains go to settings -> privacy/security and open View Certificates. under the server tab, add an exception for https://test.example.com:(port #) and select Get Certificate. then Confirm Security Exception

now fire up gunicorn using the pem format files generated by mkcert. in my case it was something like...

gunicorn --certfile test.example.com 4.pem --keyfile test.example.com 4-key.pem

your cert should be accepted now.

each member of our team has to set this up locally. for us it was a small inconvenience for the payoff.

if this doesn't suit your needs then unfortunately yes, you might have to opt for an alternative such as caddy or nginx to reverse-proxy your requests. but you'd still have to supply a certificate using some version of the example above or via tools like certbot ect

  • Related