#!/usr/bin/env python3 """ SSL Fix Tool für MYP Platform - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung Behebt Browser-SSL-Kompatibilitätsprobleme durch Neugenerierung korrekter Zertifikate """ import os import subprocess import shutil from pathlib import Path def create_browser_compatible_ssl(): """Erstellt browser-kompatible SSL-Zertifikate für MYP""" print("🔧 SSL BROWSER-KOMPATIBILITÄTS-FIX") print("=" * 50) # Basis-Verzeichnis app_dir = Path.cwd() ssl_dir = app_dir / "ssl" # Erstelle SSL-Verzeichnis ssl_dir.mkdir(exist_ok=True) cert_path = ssl_dir / "cert.pem" key_path = ssl_dir / "key.pem" config_path = ssl_dir / "openssl_fix.conf" print(f"📁 SSL-Verzeichnis: {ssl_dir}") # Browser-kompatible OpenSSL-Konfiguration openssl_config = """[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = Baden-Wuerttemberg L = Stuttgart O = Mercedes-Benz AG OU = MYP Druckerverwaltung CN = m040tbaraspi001 [v3_req] # Basic Constraints - KRITISCH für Browser basicConstraints = critical, CA:FALSE # Key Usage - KRITISCH für Browser-Kompatibilität keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement # Extended Key Usage - TLS Server Authentication extendedKeyUsage = critical, serverAuth, clientAuth # Subject Alternative Names - Alle Domains/IPs subjectAltName = critical, @alt_names # Netscape Legacy-Kompatibilität nsCertType = server # Identifikations-Kommentar nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung" [alt_names] DNS.1 = localhost DNS.2 = *.localhost DNS.3 = m040tbaraspi001 DNS.4 = m040tbaraspi001.local DNS.5 = m040tbaraspi001.de040.corpintra.net DNS.6 = *.de040.corpintra.net IP.1 = 127.0.0.1 IP.2 = ::1 IP.3 = 0.0.0.0 """ # Schreibe OpenSSL-Konfiguration with open(config_path, 'w') as f: f.write(openssl_config) print("📝 OpenSSL-Konfiguration erstellt") try: # Backup existierender Zertifikate if cert_path.exists(): backup_cert = ssl_dir / f"cert_backup_{os.getpid()}.pem" backup_key = ssl_dir / f"key_backup_{os.getpid()}.pem" shutil.copy2(cert_path, backup_cert) shutil.copy2(key_path, backup_key) print(f"💾 Backup erstellt: {backup_cert}") # Private Key generieren print("🔑 Generiere Private Key...") key_cmd = [ "openssl", "genrsa", "-out", str(key_path), "2048" ] result = subprocess.run(key_cmd, capture_output=True, text=True) if result.returncode != 0: raise Exception(f"Private Key Generierung fehlgeschlagen: {result.stderr}") print("✅ Private Key generiert") # Browser-kompatibles Zertifikat erstellen print("📜 Generiere browser-kompatibles Zertifikat...") cert_cmd = [ "openssl", "req", "-new", "-x509", "-key", str(key_path), "-out", str(cert_path), "-days", "365", "-config", str(config_path), "-extensions", "v3_req", "-sha256" ] result = subprocess.run(cert_cmd, capture_output=True, text=True) if result.returncode != 0: raise Exception(f"Zertifikat-Generierung fehlgeschlagen: {result.stderr}") print("✅ Browser-kompatibles Zertifikat generiert") # Berechtigungen setzen os.chmod(key_path, 0o600) # Nur Owner kann lesen os.chmod(cert_path, 0o644) # Alle können lesen print("🔒 Berechtigungen gesetzt") # Validierung print("🔍 Validiere Zertifikat...") # Prüfe Key Usage Extensions check_cmd = ["openssl", "x509", "-in", str(cert_path), "-noout", "-text"] result = subprocess.run(check_cmd, capture_output=True, text=True) if result.returncode == 0: cert_text = result.stdout # Browser-Kompatibilitäts-Checks checks = { "Digital Signature": "Digital Signature" in cert_text, "Key Encipherment": "Key Encipherment" in cert_text, "TLS Web Server Authentication": "TLS Web Server Authentication" in cert_text, "Subject Alternative Name": "Subject Alternative Name" in cert_text, "CA:FALSE": "CA:FALSE" in cert_text, "SHA-256": "sha256WithRSAEncryption" in cert_text } print("\n📋 BROWSER-KOMPATIBILITÄTS-PRÜFUNG:") all_passed = True for check_name, passed in checks.items(): status = "✅" if passed else "❌" print(f" {status} {check_name}") if not passed: all_passed = False if all_passed: print("\n🎉 ALLE BROWSER-KOMPATIBILITÄTS-CHECKS BESTANDEN!") else: print("\n⚠️ Einige Checks fehlgeschlagen - Zertifikat kann trotzdem funktionieren") # Aufräumen config_path.unlink(missing_ok=True) print(f"\n📊 ERGEBNIS:") print(f" 📄 Zertifikat: {cert_path}") print(f" 🔑 Private Key: {key_path}") print(f" 📅 Gültig bis: {365} Tage") print(f"\n🌐 NÄCHSTE SCHRITTE:") print(f" 1. Browser-Cache leeren (Strg+Shift+Del)") print(f" 2. MYP-Anwendung neu starten") print(f" 3. https://localhost:5000 aufrufen") print(f" 4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'") return True except Exception as e: print(f"❌ FEHLER: {e}") return False def check_openssl(): """Prüft ob OpenSSL verfügbar ist""" try: result = subprocess.run(["openssl", "version"], capture_output=True, text=True) if result.returncode == 0: print(f"✅ OpenSSL verfügbar: {result.stdout.strip()}") return True else: print("❌ OpenSSL nicht verfügbar") return False except FileNotFoundError: print("❌ OpenSSL nicht installiert") print("💡 Installiere mit: sudo apt install openssl") return False def main(): """Hauptfunktion""" print("🔧 MYP SSL BROWSER-KOMPATIBILITÄTS-FIX") print("Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler") print("=" * 60) # Prüfe OpenSSL if not check_openssl(): return False # Erstelle browser-kompatible Zertifikate success = create_browser_compatible_ssl() if success: print("\n✅ SSL-Fix erfolgreich abgeschlossen!") print("🌐 Browser-Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein.") else: print("\n❌ SSL-Fix fehlgeschlagen!") print("📞 Prüfe COMMON_ERRORS.md für weitere Hilfe.") return success if __name__ == "__main__": main()