SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.X.XX'. (_ssl.c:997)

Python Help
1

I’m trying to create a simple messenger in Python. Everything worked well until I decided to implement SSL/TLS. Now, even though I have a certificate that is using the correct IP address, and is self-signed, I get this error: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for ‘XXX.XXX.X.XX’. (_ssl.c:997) I’ve tried to recreate my certificate many times, but each time it is the same. Here is what the certificates details are:



Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            0e:0e:79:f2:c7:95:1f:8f:e4:ac:dc:d4:b3:63:83:2f:a2:64:70:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 192.168.X.1XX
        Validity
            Not Before: Jun 23 15:24:15 2023 GMT
            Not After : Jun 22 15:24:15 2024 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 192.168.X.XX
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:7d:94:14:9d:6d:cb:88:35:a7:f3:92:a8:28:
                    c4:ac:3d:5b:ba:dd:1f:5d:c6:d8:a4:97:bb:c1:b9:
                    6f:c6:0d:af:27:a2:3f:61:fd:1c:75:9b:0b:09:bf:
                    35:25:44:c8:d8:44:14:2a:e3:c1:ee:4a:3f:d5:2f:
                    98:fc:bf:fd:63:dd:1e:62:78:f5:5d:69:f9:46:43:
                    9e:fb:32:e3:a8:a6:f2:da:c3:22:93:92:dc:9f:92:
                    6f:73:8c:12:19:34:18:31:1a:ba:69:91:63:d0:fa:
                    9a:47:52:21:04:f9:85:e7:c3:65:60:0f:f2:b3:0c:
                    00:37:03:8b:11:f7:53:aa:41:e9:e6:93:94:d4:eb:
                    32:40:2b:fd:09:e8:0a:a4:1d:24:3c:73:6d:c0:08:
                    5a:72:5e:41:a5:1f:61:21:65:8d:5b:16:48:ee:63:
                    86:19:c3:2c:98:28:6a:fb:0d:7f:fd:13:38:83:e4:
                    78:6e:5c:dd:2e:72:5f:5c:72:89:fc:1e:83:dc:a8:
                    46:bd:44:6c:12:45:2b:8b:85:18:b7:e0:26:9c:8a:
                    40:dd:f9:de:d7:21:fa:34:b4:72:e3:2b:d4:87:9f:
                    2f:5e:00:5b:56:24:97:ad:38:d2:ec:97:8a:f9:d5:
                    41:5c:98:25:f3:34:0c:56:d3:6d:80:8d:b4:e4:72:
                    5d:75
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        64:29:2d:50:50:fa:43:5a:a4:44:77:86:87:2f:65:94:06:73:
        20:b7:66:27:fd:c8:86:6c:ac:30:51:81:b7:6d:66:33:fb:d8:
        92:4b:e6:99:8f:a1:04:4a:ba:1e:d5:0e:7f:e2:5b:f8:aa:0c:
        8f:91:65:95:70:de:38:8a:cf:bf:2d:7f:59:c4:c0:31:1c:aa:
        af:a9:1e:31:69:ce:26:d0:2b:b7:32:fc:28:c6:57:37:aa:1b:
        31:12:74:28:ed:63:57:58:7a:3f:c9:65:8c:54:b2:97:03:3f:
        48:da:ff:9c:99:4e:11:67:78:55:a6:a7:bf:24:a4:d5:76:4f:
        37:54:b1:01:00:f1:ac:f5:b8:74:51:fe:3d:37:4d:bd:7b:c8:
        04:06:59:28:1d:49:86:80:21:eb:a3:87:a0:b2:f8:43:14:dd:
        ad:80:fe:6c:59:41:03:31:ff:65:0e:98:12:3f:66:45:1b:c9:
        8c:05:97:ea:69:94:a4:2f:d3:28:b4:5e:54:91:2a:8e:40:ed:
        7c:fe:30:bb:3b:75:99:9e:cf:b2:a8:71:eb:38:85:10:d2:0c:
        e1:bb:44:69:a1:43:01:0b:30:09:47:ae:3e:c3:98:b8:ce:e7:
        65:b5:05:10:f0:c1:bc:11:a0:84:d4:00:8f:04:05:e4:b2:93:
        40:94:f4:1e

Here is the code for the server: ` import socket import ssl

# Set port number
port = 443
HOST = '192.168.X.XX'

# Load key and certificate
keyfile = '/etc/ssl/private/serverkey.pem'
certfile = '/etc/ssl/certs/servercert.pem'
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile, keyfile)

# Create socket and bind to port
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((HOST, port))
sock.listen()
print(f'Waiting for a connection...')

# Accept incoming connections and wrap in SSL
while True:
    conn, addr = sock.accept()
    ssl_conn = context.wrap_socket(conn, server_side=True)
    print(f'Connected by {addr}')

    # Receive and send messages
    while True:
        data = ssl_conn.recv(1024)
        if not data:
            break
        print(f'Received: {data.decode()}')
        message = input('Enter message to send: ')
        ssl_conn.sendall(message.encode())

`

Here is the code for the client: `
import socket import ssl

# Set server hostname or IP address and port number
server = '192.168.X.X'
port = 443

# Load key and certificate
keyfile = '/etc/ssl/private/serverkey.pem'
certfile = '/etc/ssl/certs/servercert.pem'

# Create TCP socket and connect to server
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server, port))

# Create SSL context and wrap socket in SSL
context = ssl.create_default_context()
context.load_cert_chain(certfile, keyfile)
context.load_verify_locations(cafile=certfile)
#context.check_hostname = False
ssl_sock = context.wrap_socket(sock, server_hostname=server)

# Send and receive messages
while True:
    message = input('Enter message to send: ')
    ssl_sock.sendall(message.encode())
    data = ssl_sock.recv(1024)
    if not data:
        break
    print(f'Received: {data.decode()}')

# Close SSL socket and TCP socket
ssl_sock.close()
sock.close()

` Not sure of the relevance, but the certificate and key are located in /etc/ssl/certs/servercert.pem and /etc/ssl/private/serverkey.pem respectively.

I tried remaking the certificates, I changed some of the code, but it’s always the same result.

Thanks in advance for any help!

2

How are you generating the certificates? Are they self-signed? Does the common name (CN) match the IP address? I’m seeing some confusing things in the censored information, and honestly, you could probably just skip censoring it, since 192.168.x.y is a local IP address, not a public one :slight_smile:

3

Thanks for the quick reply! I’m using OpenSSL to create a self-signed certificate. The CN is the IP address, which is 192.168.0.10. I really have no idea why it doesn’t work - I’ve redone this process 3 times… The error says that the certificate isn’t valid for 192.168.0.10, which doesn’t make sense, because the CN is 192.168.0.10. I may simply be missing something important, as this is my first time using SSL/TLS.
Thanks!

4

It’s just saying that the certificate isn’t valid. There could be several reasons for that; CN mismatch is definitely one of them, but not the only one. I’m not hugely familiar with the process for self-signed certificates in Python, as I almost never use them.

Quick confirmation though: Is server (the variable with your server’s IP/hostname) set to precisely the same string as the common name?

Otherwise, I’d be looking into the way that load_verify_locations is registering the authorities.

5

Hey, I just found something - apparently using an IP for the CN is deprecated. I need to change the SAN field, according to this post. Thanks for your help!