📚 Reorganized documentation files and renamed for clarity
This commit is contained in:
175
backend/DOCS/QUICK_SSL_FIX.md
Normal file
175
backend/DOCS/QUICK_SSL_FIX.md
Normal file
@ -0,0 +1,175 @@
|
||||
# QUICK SSL FIX - ERR_SSL_KEY_USAGE_INCOMPATIBLE
|
||||
|
||||
## 🔧 Schnelle Lösung für Browser-SSL-Fehler
|
||||
|
||||
Der Fehler `ERR_SSL_KEY_USAGE_INCOMPATIBLE` tritt auf, weil die SSL-Zertifikat-Extensions nicht browser-kompatibel sind.
|
||||
|
||||
## ⚡ Sofort-Lösung
|
||||
|
||||
### Schritt 1: SSL-Verzeichnis vorbereiten
|
||||
```cmd
|
||||
cd backend
|
||||
mkdir ssl
|
||||
```
|
||||
|
||||
### Schritt 2: Erstelle OpenSSL-Konfiguration
|
||||
Erstelle eine Datei `ssl/openssl_fix.conf` mit folgendem Inhalt:
|
||||
|
||||
```ini
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
[req_distinguished_name]
|
||||
C = DE
|
||||
ST = Baden-Wuerttemberg
|
||||
L = Stuttgart
|
||||
O = Mercedes-Benz AG
|
||||
OU = MYP Druckerverwaltung
|
||||
CN = m040tbaraspi001
|
||||
|
||||
[v3_req]
|
||||
basicConstraints = critical, CA:FALSE
|
||||
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
|
||||
extendedKeyUsage = critical, serverAuth, clientAuth
|
||||
subjectAltName = critical, @alt_names
|
||||
nsCertType = server
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = localhost
|
||||
DNS.2 = *.localhost
|
||||
DNS.3 = m040tbaraspi001
|
||||
DNS.4 = m040tbaraspi001.local
|
||||
DNS.5 = m040tbaraspi001.de040.corpintra.net
|
||||
DNS.6 = *.de040.corpintra.net
|
||||
IP.1 = 127.0.0.1
|
||||
IP.2 = ::1
|
||||
IP.3 = 0.0.0.0
|
||||
```
|
||||
|
||||
### Schritt 3: Generiere neue Zertifikate (falls OpenSSL verfügbar)
|
||||
```cmd
|
||||
cd ssl
|
||||
|
||||
# Private Key generieren
|
||||
openssl genrsa -out key.pem 2048
|
||||
|
||||
# Browser-kompatibles Zertifikat erstellen
|
||||
openssl req -new -x509 -key key.pem -out cert.pem -days 365 -config openssl_fix.conf -extensions v3_req -sha256
|
||||
|
||||
# Aufräumen
|
||||
del openssl_fix.conf
|
||||
```
|
||||
|
||||
### Schritt 4: Validierung
|
||||
```cmd
|
||||
# Prüfe Zertifikat-Extensions
|
||||
openssl x509 -in cert.pem -noout -text | findstr "Digital Signature"
|
||||
openssl x509 -in cert.pem -noout -text | findstr "Key Encipherment"
|
||||
openssl x509 -in cert.pem -noout -text | findstr "TLS Web Server Authentication"
|
||||
```
|
||||
|
||||
## 🌐 Alternative: Vorgefertigte Zertifikate
|
||||
|
||||
Falls OpenSSL nicht verfügbar ist, erstelle die Dateien manuell:
|
||||
|
||||
### `ssl/cert.pem` (Browser-kompatibel):
|
||||
```
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDtzCCAp+gAwIBAgIUQxJ8K9B2C7VdF8G5H3K8N9M7P2QwDQYJKoZIhvcNAQEL
|
||||
BQAwazELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
|
||||
MBAGA1UEBwwJU3R1dHRnYXJ0MRgwFgYDVQQKDA9NZXJjZWRlcy1CZW56IEFHMREw
|
||||
DwYDVQQLDAhNWVAgVGVhbTAeFw0yNTAxMTIwMDAwMDBaFw0yNjAxMTIwMDAwMDBa
|
||||
MGsxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEjAQ
|
||||
BgNVBAcMCVN0dXR0Z2FydDEYMBYGA1UECgwPTWVyY2VkZXMtQmVueiBBRzERMA8G
|
||||
A1UECwwITVlQIFRlYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
|
||||
... (gekürzt für Übersicht) ...
|
||||
-----END CERTIFICATE-----
|
||||
```
|
||||
|
||||
### `ssl/key.pem` (Private Key):
|
||||
```
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAu3k5... (gekürzt für Sicherheit) ...
|
||||
-----END RSA PRIVATE KEY-----
|
||||
```
|
||||
|
||||
## 🔄 Nach der SSL-Reparatur
|
||||
|
||||
### 1. Browser-Cache vollständig leeren:
|
||||
- **Chrome/Edge**: Strg+Shift+Del → "Gesamte Zeit" → alle Optionen aktivieren
|
||||
- **Firefox**: Strg+Shift+Del → "Alles" auswählen
|
||||
|
||||
### 2. MYP-Anwendung neu starten
|
||||
```cmd
|
||||
# Stoppe laufende Instanzen
|
||||
taskkill /f /im python.exe
|
||||
|
||||
# Starte MYP neu
|
||||
python app.py
|
||||
```
|
||||
|
||||
### 3. Browser-Zugriff testen
|
||||
1. Öffne: `https://localhost:5000`
|
||||
2. Bei SSL-Warnung: **"Erweitert"** → **"Weiter zu localhost (unsicher)"**
|
||||
3. Der `ERR_SSL_KEY_USAGE_INCOMPATIBLE` Fehler sollte verschwunden sein
|
||||
|
||||
## 🚨 Fallback-Lösung
|
||||
|
||||
Falls SSL-Probleme weiterhin bestehen:
|
||||
|
||||
### HTTP-Modus verwenden:
|
||||
```cmd
|
||||
# Ändere in config.py:
|
||||
USE_HTTPS = False
|
||||
HOST = "0.0.0.0"
|
||||
PORT = 5000
|
||||
|
||||
# Zugriff über:
|
||||
http://localhost:5000
|
||||
```
|
||||
|
||||
### Browser-spezifische Lösungen:
|
||||
|
||||
#### Chrome/Edge:
|
||||
```
|
||||
chrome://flags/#allow-insecure-localhost
|
||||
→ "Enabled" setzen → Browser neu starten
|
||||
```
|
||||
|
||||
#### Firefox:
|
||||
```
|
||||
about:config
|
||||
→ security.tls.insecure_fallback_hosts
|
||||
→ localhost,m040tbaraspi001
|
||||
```
|
||||
|
||||
## 📊 Erfolg-Validierung
|
||||
|
||||
Nach dem Fix sollten folgende Zertifikat-Extensions vorhanden sein:
|
||||
- ✅ **basicConstraints**: CA:FALSE
|
||||
- ✅ **keyUsage**: Digital Signature, Key Encipherment, Key Agreement
|
||||
- ✅ **extendedKeyUsage**: TLS Web Server Authentication
|
||||
- ✅ **subjectAltName**: localhost, m040tbaraspi001, etc.
|
||||
|
||||
## 🔍 Debugging
|
||||
|
||||
Falls Probleme weiterhin bestehen:
|
||||
|
||||
### Zertifikat-Details anzeigen:
|
||||
```cmd
|
||||
openssl x509 -in ssl/cert.pem -noout -text
|
||||
```
|
||||
|
||||
### Verbindung testen:
|
||||
```cmd
|
||||
openssl s_client -connect localhost:5000 -servername localhost
|
||||
```
|
||||
|
||||
### Browser Developer Tools:
|
||||
- F12 → Security-Tab → Zertifikat-Details prüfen
|
||||
|
||||
---
|
||||
|
||||
**💡 Der ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler sollte nach diesen Schritten behoben sein!**
|
Reference in New Issue
Block a user