Failed to make https request with self signed certificate authentication

Question

In order to make clients authentication with a self signed certificate, I went through the following steps:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -nodes -key ca.key -out ca.crt

Create the Server Key, CSR, and Certificate

openssl genrsa -out server.key 1024
openssl req -nodes -new -key server.key -out server.csr

We're self signing our own server cert here. This is a no-no in production.

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Create the Client Key and CSR

openssl genrsa -out client.key 1024
openssl req -new -nodes -key client.key -out client.csr

Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Then I verified the created the certificates via:

Verify Server Certificate

openssl verify -purpose sslserver -CAfile ca.crt server.crt

Verify Client Certificate

openssl verify -purpose sslclient -CAfile ca.crt client.crt

which all are OK.

I configured my python tornado server:

if __name__ == "__main__":
   app = make_app()

   ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_ctx.load_cert_chain("../server.crt", "../server.key")
   ssl_ctx.load_verify_locations("../ca.crt")
   ssl_ctx.verify_mode = ssl.CERT_REQUIRED
   http_server = tornado.httpserver\
    .HTTPServer(app, ssl_options=ssl_ctx)
   http_server = tornado.httpserver.HTTPServer(app)
   http_server.listen(80)
   logging.info("Server is running.")
   tornado.ioloop.IOLoop.current().start()

but when I make a curl request via

curl -v -s -k --key client.key --cert client.crt https://localhost/open/address/health

It returns connection refused

*   Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connection failed
* connect to 127.0.0.1 port 443 failed: Connection refused
* Failed to connect to localhost port 443: Connection refused
* Closing connection 0

Your service is listening on port 80, yet you are trying to connect to 443. — Gerald Schneider, Jul 30 '19 at 09:03
You're testing against the default port for https, port 443, but a quick look at your code only shows a `http_server.listen(80)` , the default port for plain http — HBruijn, Jul 30 '19 at 09:03