SSL error with private certificate


I have my own certificate for my domain which is a 4096 and SHA-256. When I change the certificate in the mineos.cfg I get the following error:

[04/Mar/2015:14:40:35] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/”, line 1837, in start
File “/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/”, line 1902, in tick
s, ssl_env = self.ssl_adapter.wrap(s)
File “/usr/lib/python2.7/dist-packages/cherrypy/wsgiserver/”, line 52, in wrap
keyfile=self.private_key, ssl_version=ssl.PROTOCOL_SSLv23)
File “/usr/lib/python2.7/”, line 487, in wrap_socket
File “/usr/lib/python2.7/”, line 241, in init
SSLError: [Errno 336265225] _ssl.c:355: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

I don’t know really anything except that 4096 is twice the norm and so may be causing an issue. Just a thought.

Or maybe you haven’t added the other files as well as the key or cert file, whatever.

Which cert attributes did you change and what did you fill instead? Copy/paste your mineos.conf and we can try to make more sense of it (this isn’t any security hazard to sharing mineos.conf).

Hey, here it is:

server.ssl_module = “builtin”
server.ssl_certificate = “/etc/ssl/certs/domain.crt”
server.ssl_private_key = “/etc/ssl/certs/domain.key”
server.ssl_ca_certificate = “/etc/ssl/certs/”
server.ssl_certificate_chain = “/etc/ssl/certs/inter.crt”

But it feels like it’s the private key it complains about.

Unfortunately, the error you provided initially I’m not sure how to use to full effect. For example, I was able to successfully install a wildcard certificate with only the following changes:

server.ssl_module = "builtin"
server.ssl_certificate = "/root/wildcard.crt"
server.ssl_private_key = "/root/wildcard.key"
server.ssl_ca_certificate = "/root/InCommon.crt"
server.ssl_certificate_chain =

That doesn’t mean that you shouldn’t be using the SSL cert chain, but it also tels me that the certificates required–chained or not–is more specific than the general knowledge I have of setting up SSLs.

Who issued your cert and what kind was it? Perhaps the issuer has some documentation on how it’d be set up in Apache, etc. and then I can translate that into the corresponding config for CherryPy.

Same instructions as for every certificate.

<VirtualHost _default_:443>
DocumentRoot /home/httpd/private
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLProtocol all -SSLv2

SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SSLCertificateChainFile /usr/local/apache/conf/
CustomLog /usr/local/apache/logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Though I feel like I could probably figure it out in a minute with guess and check, since sharing keys/certificates is not something you do, I can only recommend what I think would be the best approaches.

For starters, from what I’ve read, pem files are certificates and keys, whereas that’s probably not what you’re trying to include–just the key. So, I’d probably start out with splitting that data out.

openssl x509 -outform der -in -out a_new_cert_file.crt

From there, I’d actually ignore the ‘chain’ part of the instructions and instead match up the ca portion from the filename to the ca part that’s in the ca_certificate config line. That way you’d have files that correspond with a known-working configuration that I used.

This isn’t a very systematic approach (in case I’m wrong!), but apparently there’s a lot of really convoluted standards in play here.

We can keep trying till we figure it out.

I’m using the StartSSL certificate and was using their wizard on the site. I deleted the certificates and keys and started over new. This time I created the csr on the server and not with their wizard. And I’ve skipped the root and ca certificates and only using cert.crt and cert.key and it’s working fine now. Seems to be some problem with their key while using their online wizard.

But I don’t know if the following error is because of CherryPy?

I can’t be certain. All the times I’ve ever installed an SSL in CherryPy it’s been with a wildcard cert where I required all three fields in the config: it may differ for different certs, but I cannot say for sure. If the browser is reporting the certificate is secure, on the other hand, it’s likely doing just fine in CherryPy.

Regarding that error, however, do you think that’s related to this Chrome issue? I’m guessing you’re on Chrome 40 now–if so, it might very likely be Cherrypy and I’ll have to see what we can do. After all, because of SSL issues, Cherrypy cannot be updated to 3.3.x because of bugs introduced by 3.2.5/3.3.0 that don’t exist in 3.2.3, but maybe they have it fixed by now.

You may be seeing the message

"Your connection to is encrypted with obsolete cryptography."


"The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

This usually means that the connection to the current website is using an outdated ciphersuite.
SSLv3 is being disabled in Chrome at the start of 2015, due to the POODLE attack. See Adam Langley’s announcement.
SHA-1 is deprecated in Chrome at the start of 2015.
Certificates expiring in 2016 will be marked as “secure, but with minor errors”.
Certificates expiring in 2017 are later will be treated as “affirmatively insecure”.
Read the official blog post announcement for more currently still supported in Chrome.
MD5 is disabled for certificate signatures.
It is still permitted for message authentication in the HMAC-MD5 construction (which does not depend on collision resistance).

Ok, I’ll check the links. Please see what you can find about Cherry in the meantime :smile: