The https service of mormot2 threw an exception

lfyey121 · 2026-05-08 08:21:25

I generated the tls certificate file using mkcert:mkcert 192.168.2.10
I use TRestHttpServer.Create(port,[restserver...],'+',WEBSOCKETS_DEFAULT_MODE,4,secTLS,'','', HTTPSERVER_DEFAULT_OPTIONS,@vtls),
when the browser accessed the service via https://192.168.2.10:port, the server reported an error: raised exception class 'ESChannel' with message: recv: Handshake aborted At line 2041 in file mormot.net.sock.windows.inc... ，

flydev · 2026-05-08 08:39:30

it's expected for a self-signed certificate, you should be able to read SEC_E_CERT_UNKNOWN / error 87. It means windows/SChannel cannot validate the certificate chain or certificate trust state. Ignore at debugger level. You can also add the certificate to your host store and test again (for the science..).

lfyey121 · 2026-05-08 09:10:38

In the debugging mode, this error will occur: SEC_E_CERT_UNKNOWN / error 87. Whether using secTLSSelfSigned or secTls, it is the same. After ignoring the error, the service cannot work properly. I have installed the root certificate on the client computer. Now we need to access it within the local network via HTTPS. I'm not sure what to do.

flydev · 2026-05-08 09:35:54

Yes of course, and what you mean by "the service cannot work properly"? Try to first accept un-safe cert from the browser, I mean, just open the url of the service api call on a browser-tab, accept un-safe connection once, then api calls will work.

// - secTLS will use HTTPS secure connection (user-provided self-signed or not)
// - secTLSSelfSigned will use HTTPS secure connection with a (temporary) self-signed certificate (will generate an temporary self-signed certificate at startup)

lfyey121 · 2026-05-10 03:26:12

Thank you for your reply.
The same certificate file (in our mormot2 server, it was converted from pem to pfx using openssl), after using nginx, the browser can access normally, but there will be an insecure warning. However, when using our mormot2 server, the browser keeps showing a 400 error: 400 Bad Request.

lfyey121 · 2026-05-10 03:32:00

Regardless of whether the FORCE_OPENSSL compilation option is used or not, the log shows this error:
EXC ESChannel {Message: "<>: HandshakeStep returned 80090327 SEC_E_CERT_UNKNOWN, System Error 87 [ERROR_INVALID_PARAMETER]"} [R0:apiv1pm apiv1auth web] at 81e34c .. /.. /src/orm/mormot.orm.client.pas (378) {8 8.03 4.93 8.3GB/23.8GB 23f00f01}

ab · 2026-05-10 06:27:01

1) Error 400 is nothing about TLS issue.

2) If you have a ESchannel exception, it means that OpenSSL is not used. You need to include the proper mormot.lib.openssl11 unit to have OpenSSL enabled.

lfyey121 · 2026-05-10 09:01:29

Thank you very much. It worked. This is the first time I have used TLS in MORMOT.
Finally, it was discovered that the problem was actually RootRedirectToUri. The third parameter was set to false by default, so it never redirected to the address of the static web page.

ab · 2026-05-10 15:09:16

Happy to help.

So first verify everything works as plain http - then switch to https.

mORMot Open Source

#1 2026-05-08 08:21:25

The https service of mormot2 threw an exception

#2 2026-05-08 08:39:30

Re: The https service of mormot2 threw an exception

#3 2026-05-08 09:10:38

Re: The https service of mormot2 threw an exception

#4 2026-05-08 09:35:54

Re: The https service of mormot2 threw an exception

#5 2026-05-10 03:26:12

Re: The https service of mormot2 threw an exception

#6 2026-05-10 03:32:00

Re: The https service of mormot2 threw an exception

#7 2026-05-10 06:27:01

Re: The https service of mormot2 threw an exception

#8 2026-05-10 09:01:29

Re: The https service of mormot2 threw an exception

#9 2026-05-10 15:09:16

Re: The https service of mormot2 threw an exception

Board footer