curl --cacert ca-public-key.pem https://localhost:5684/

I have followed the entire tutorial with the provided code on my machine up to this point, and everything has run just fine.

Unfortunately this final attempt to hit the server with curl is still returning exit code 60 (invalid certificate).

I have tried:

• generating new keys (PEM files)
• entering the full file path for ca-public-key.pem in the –cacert argument

I would appreciate any suggestions… I was really excited to get this final response from the server.

@Stuart The sample certificate included in the supporting material has already expired. However, generating a new one with the included script doesn’t work for me either. Unfortunately, I’m not sure what the reason is off the top of my head.

You could try creating a self-signed certificate withopenssl as a quick workaround, though:

$opensslreq-x509-newkeyrsa:4096-keyoutserver-private-key.pem-outserver-public-key.pem-days365

…and then ignore insecure certificates:

$curl-khttps://localhost:5684/shhhh, this is secret

Anyway, we’ll probably need@Christopher’s help with this one.

Hi @Stuart,

@Bartosz and I have been plugging away at this, and I think we’ve figured it out. The root certificate generation code needs to change a little bit, I’ll show you how.

The version ofcurl I’m using is a bit older and uses TLS 1.2. The version Bartosz is using (and I suspect you are as well) uses the more up to date TLS 1.3. When I install a new version ofcurl, I get the same problem you are experiencing.

The key to fixing it is inside of the builder code. Currently,make_builder has the following:

builder=(x509.CertificateBuilder().subject_name(subject).issuer_name(issuer).serial_number(x509.random_serial_number()).not_valid_before(valid_from).not_valid_after(valid_to))

To get a valid CA certificate you also need another parameter. Change your builder to include:

.add_extension(x509.BasicConstraints(ca=True,path_length=None),critical=True)

This change should only be for generating the public CA. In my own code I added ais_ca parameter tomake_builder and toPublicKey.generate. Mymake_builder now looks like this:

defmake_builder(subject,issuer,is_ca=False):# Expire this certificate 30 days from nowvalid_from,valid_to=date_range(3000)# Chain-call certificate builder with necessary parametersbuilder=(x509.CertificateBuilder().subject_name(subject).issuer_name(issuer).serial_number(x509.random_serial_number()).not_valid_before(valid_from).not_valid_after(valid_to))ifis_ca:builder=builder.add_extension(x509.BasicConstraints(ca=True,path_length=None),critical=True)returnbuilder

Then you have to make changes toPublicKey andgenerate_keys.py to expose this new parameter. Or, you can cheat add the line by hand, commenting it in and out depending on your needs.

What does all this mean? I’m not 100% sure, but I suspect that either TLS 1.2 didn’t require this parameter, or was more forgiving when it was missing.

We’ll update the course with the new code at some point, but in the meantime, you can add the new.add_extension call and should be good to go.

Thanks for the comment. Hope you enjoyed the course, this bump not withstanding.

Happy coding!

Hello,

In what specific module of this course did we create a second password for the CSR. I recall doing so with the Fernet/Cipher segements, but not with the last 3 modules. Are we supposed to use the original we made with the Fernet?

Hi alphafox28js,

If I understand the question you’re asking correctly, covering the creation of the “ca-private-key.pem” file, which requires a password is covered two modules back in “Creating Public and Private Keys”

realpython.com/lessons/public-private-keys/

The actual code shown to generate the file is around the 6:20-6:40 marks.

Hello sir,

Oddly enough, I can create the key,have it generate, but I never had to actually put a password in or create one. Whereas in the earlier sections, and for setting up a GitHub account, I actually did have to set the password then type it out.