ssl.SSLError: [X509: KEY_VALUES_MISMATCH]

Hello all,
I have a linux server (AWS Linux V2) running flask with the following code:

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations('./web.pem')
context.load_cert_chain('./web.crt', './web.key')
app.run('0.0.0.0', 8443, ssl_context=context)

when i run it there’s the following error:
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3901)

i used the next steps to create the SSL files:

  1. for the web.crt i download the CF RSA version from here
  2. i created new certificates (web.key & web.pem) from CF SSL/TLS>Origin Server>Create Certificate

can someone pls point me for what i’m missing here?
many thanks in advance!
Ram

The very first Google link seems to cover exactly that issue

You have swapped the root certificate with the actual certificate.

For starters, you won’t need the load_verify_locations() call at all, as that is for client verification. Then, the first parameter of load_cert_chain() should refer to your certificate (and that file should possibly also contain the root certificate).

hi sandro, many thanks for your reply!

I have removed the load_verify_locations and tried following your suggestions, i’ve set:
context.load_cert_chain('./web.pem', './web.key')

(no use for the CRT file?)

and the server runs:

 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off  
 * Running on https://0.0.0.0:8443/ (Press CTRL+C to quit) 

however, when browsing the site i receive CF Error 525
SSL handshake failed

i tried both “Full and Full(Strict)”

I addressed that in my previous response in brackets.

I guess that is because of the missing root certificate.

ok, got it to work in Full(Strict) mode, had to remove the context.verify_mode = ssl.CERT_REQUIRED and used context.load_cert_chain('./web.pem', './web.key')

many thanks for your support!

This topic was automatically closed after 30 days. New replies are no longer allowed.