ssl.SSLError: [X509: KEY_VALUES_MISMATCH]

ram1 · March 27, 2020, 3:32pm

Hello all,
I have a linux server (AWS Linux V2) running flask with the following code:

context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations('./web.pem')
context.load_cert_chain('./web.crt', './web.key')
app.run('0.0.0.0', 8443, ssl_context=context)

when i run it there’s the following error:
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3901)

i used the next steps to create the SSL files:

for the web.crt i download the CF RSA version from here
i created new certificates (web.key & web.pem) from CF SSL/TLS>Origin Server>Create Certificate

can someone pls point me for what i’m missing here?
many thanks in advance!
Ram

sandro · March 27, 2020, 5:01pm

The very first Google link seems to cover exactly that issue

You have swapped the root certificate with the actual certificate.

For starters, you won’t need the load_verify_locations() call at all, as that is for client verification. Then, the first parameter of load_cert_chain() should refer to your certificate (and that file should possibly also contain the root certificate).

ram1 · March 27, 2020, 4:45pm

hi sandro, many thanks for your reply!

I have removed the load_verify_locations and tried following your suggestions, i’ve set:
context.load_cert_chain('./web.pem', './web.key')

(no use for the CRT file?)

and the server runs:

 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off  
 * Running on https://0.0.0.0:8443/ (Press CTRL+C to quit)

however, when browsing the site i receive CF Error 525
SSL handshake failed

i tried both “Full and Full(Strict)”

sandro · March 27, 2020, 4:51pm

I addressed that in my previous response in brackets.

I guess that is because of the missing root certificate.

ram1 · March 27, 2020, 4:54pm

ok, got it to work in Full(Strict) mode, had to remove the context.verify_mode = ssl.CERT_REQUIRED and used context.load_cert_chain('./web.pem', './web.key')

many thanks for your support!

system · April 26, 2020, 3:32pm

This topic was automatically closed after 30 days. New replies are no longer allowed.