Can't signup for certificate with python flask on Ubuntu

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chftracker.com

I ran this command:sudo certbot --apache

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: chftracker.com
2: www.chftracker.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for chftracker.com and www.chftracker.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: chftracker.com
Type: dns
Detail: no valid A records found for chftracker.com; no valid AAAA records found for chftracker.com

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):Apache/2.4.58 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04 LTS

My hosting provider, if applicable, is:Amazon web services, EC2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I am using namecheap for my DNS register. I did add a CAA record, host @, value "letsencrypt.org" to the namecheap entry but am still getting this error. My web application is a python (Python 3.12.3) flask program. Thanks for any help you can provide. I am a beginner and this is a final project from an online intro to CS class (Harvard's CS50x) that I have almost deployed but am stuck at the adding SSL phase despite much searching. I'd appreciate any help you could provide.

2

Hello @greginwashington,

The apex domain name has no associated IP Address DNS Records (i.e. A and/or AAAA).

So it can’t get a certificate issued with the HTTP-01 challenge.

The www does have associated IP Address DNS Record.

Most likely you want both the apex and the www to point to the same server.

IMG_0886
IMG_08861290×2796 302 KB

2 Likes
3

Thanks so much for your help, that was the fix to allow the certificate to be issued. I had spent many frustrating hours of searching without any luck to fix it.

I'm still getting an error after the certificate was issued ( Error while running apache2ctl configtest.

AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/chftracker.com.conf:

Name duplicates previous WSGI daemon definition.) but I will try troubleshooting that on my own and post back if I can't figure it out.

For those like me without much knowledge who might come across with this on a google search in the future, I had in my DNS entry as an A record, host www, value (my ip address). I added another DNS entry as an A record, host @, value (my ip address) and this allowed the cert bot certificate to be issued.

2 Likes
4

Actually, that was needed for anyone on the public internet to connect using that name. Not just the Let's Encrypt auth servers.

As for WSGI, you used the --apache option which creates a port 443 VirtualHost using the port 80 VirtualHost as a template. You probably had a WSGI line in that which got replicated in the port 443 VHost and thus duplicated across the entire Apache config.

You hadn't posted back so maybe you found it. I thought I'd give an explanation of what likely happened for future reference.

2 Likes
5

Yes, you are correct that that line (host@) is for the entire internet to connect to my site. I didn't think it was necessary, though, as typing in chftracker.com would open my site, so didn't realize the error.

As to the other bug, I haven't figured out yet, but you are correct that I have a WSGI line in my WSGI config file. Here is the complete config file:

<VirtualHost *:80>
ServerName chftracker.com
DocumentRoot /opt/flask-app/

WSGIDaemonProcess app user=ubuntu group=ubuntu threads=5 python-home=/opt/flask-app/flask-venv
WSGIScriptAlias / /opt/flask-app/flask-app.wsgi

ErrorLog ${APACHE_LOG_DIR}/flask-error.log
CustomLog ${APACHE_LOG_DIR}/flask-access.log combined

<Directory /opt/flask-app>
WSGIProcessGroup app
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Require all granted
</Directory>
</VirtualHost>
6

Review the below post. It will probably help with your WSGI problem

2 Likes
7

Yes, that fixed it. I placed the WSGIDaemonProcess app user=ubuntu group=ubuntu threads=5 python-home=/opt/flask-app/flask-venv line 1 line above the <VirtualHost *:80> and worked perfectly.
I really appreciate your help. Thanks!

2 Likes
8

Entering that name shouldn't have worked from you if you were using the public internet to test. Perhaps if you had a hosts file setup to handle that name and used your local network it would have.

You said this is part of an education course. It will help in the long run to truly understand why that did or did not work. Just "ticking the boxes" doesn't provide a good foundation for the future.

2 Likes
9

Yes, but typing in the domain name would work on different browsers (with A record, host www, and pointing to the ip address only, despite not having the host @) on different devices other than my own. It wouldn't work if I would send the domain name on imessage, however. Regardless I appreciate your advice. The domain is fixed and now is working fine.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.