Medusa: SSLError: [SSL: EE_KEY_TOO_SMALL] after updating debian to Buster
Describe the bug
Medusa page not loading due to SSL errors
To Reproduce
Steps to reproduce the behavior:
- Update Debian to Buster
- Start medusa from CLI to see the SSL errors everytime the page is requested
Expected behavior
Main medusa page should load
Screenshots
If applicable, add screenshots to help explain your problem.
Medusa (please complete the following information):
- OS: Linux bananapi 3.4.113-bananian (it's a debian fork)
- Branch: master
- Commit: d0c136d7a528a471b51676140bd35d24d97f65c6
- Python version: 3.7.3
- Database version: 44.14
Debug logs (at least 50 lines):
ERROR:asyncio:Exception in callback BaseAsyncIOLoop._handle_events(13, 1)
handle: <Handle BaseAsyncIOLoop._handle_events(13, 1)>
Traceback (most recent call last):
File "/usr/local/lib/python3.7/asyncio/events.py", line 88, in _run
self._context.run(self._callback, *self._args)
File "/opt/medusa/ext/tornado/platform/asyncio.py", line 122, in _handle_events
handler_func(fileobj, events)
File "/opt/medusa/ext/tornado/stack_context.py", line 300, in null_wrapper
return fn(*args, **kwargs)
File "/opt/medusa/ext/tornado/netutil.py", line 262, in accept_handler
callback(connection, address)
File "/opt/medusa/ext/tornado/tcpserver.py", line 263, in _handle_connection
do_handshake_on_connect=False)
File "/opt/medusa/ext/tornado/netutil.py", line 565, in ssl_wrap_socket
context = ssl_options_to_context(ssl_options)
File "/opt/medusa/ext/tornado/netutil.py", line 540, in ssl_options_to_context
context.load_cert_chain(ssl_options['certfile'], ssl_options.get('keyfile', None))
ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] ee key too small (_ssl.c:3833)
ERROR:asyncio:Exception in callback BaseAsyncIOLoop._handle_events(13, 1)
Additional context
I upgraded to python3.7 a while ago before the dist-upgrade to Buster so most of my configuration should be fine.
After Debian upgrade to Buster:
Medusa web page wouldn't load
I removed the server.crt and server.key files because I vaguely remember that being part of the fix when upgrading to python3.7
While starting medusa from commandline I noticed it wasn't able to create new server.crt and server.key files because python couldn't see the pyopenSSL pip module anymore, so I (re)installed pyopenSSL.
After that the ssl.SSLError: [SSL: EE_KEY_TOO_SMALL] error stayed when trying to load the Medusa page.
Disabling SSL in the config file makes the medusa web page reachable, but I'd of course like to be able to use https.
https://github.com/pymedusa/Medusa/issues/7563 might be related?
Any help is appreciated! :)
noodle-
All 5 comments
This is because Medusa is generating a key/cert that is considered too weak by your OS. Fortunately it is pretty easy to generate a private key/cert. An example guide can be found here f.e.: https://helpcenter.gsx.com/hc/en-us/articles/115015960428-How-to-Generate-a-Self-Signed-Certificate-and-Private-Key-using-OpenSSL
I suggest you extend the validity to 5 years or so.
medariox
on 9 Jan 2020
Ahh thanks! I'll give it a try soon.
Maybe it's a good idea to increase the default key/cert length then?
noodle-
on 9 Jan 2020
Ofc, that's why I've tagged it as bug for now 馃憣
medariox
on 9 Jan 2020
Thank you, your workaround worked!
For anyone else having the same problem. Don't bother trying to generate a self-signed certificate and private key on linux using pyopenssl. Just use windows and the guide medariox provided above.
Also I used
req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout privateKey.key -out certificate.crt
The difference being a longer valid period & bigger keysize just to make sure.
noodle-
on 9 Jan 2020
Fixed with: https://github.com/pymedusa/Medusa/pull/7672
medariox
on 31 Jan 2020
Related issues
Rouzax
路
3Comments
wimpyrbx
路
5Comments
LoRNiKoN
路
4Comments
Shootersss
路
3Comments
fernandog
路
4Comments