Certbot not working with uvicorn / fastAPI on Ubuntu

dylanweicker · November 14, 2022, 9:04pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I am trying to create an SSL certificate so I can access my uvicorn fastAPI webserver through HTTPS. The webserver is accessed through a subdomain.

I followed the tutorial here: Certbot Instructions | Certbot

When I ran the "sudo ln -s /snap/bin/certbot /usr/bin/certbot" command, I got the following response:
"ln: failed to create symbolic link '/usr/bin/certbot': File exists" But I wasn't sure if it was a cause for concern.

Everything else seemed to run smoothly, but when I try to access https://ai.qatalyst.ca I get " This site can’t be reached ERR_CONNECTION_REFUSED"

My domain is:
ai.qatalyst.ca

I ran this command:
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone
sudo certbot renew --dry-run
uvicorn main:app --host 0.0.0.0 --port 80

It produced this output:
I am able to access my API from ai.qatalyst.ca, and www.ai.qatalyst.ca but not from https://ai.qatalyst.ca or https://www.ai.qatalyst.ca

My web server is (include version):
uvicorn 0.18.3 with fastAPI 0.85

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
Cloudzy

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.0

_az · November 14, 2022, 9:09pm

Have you considered using a reverse proxy in front of your uvicorn application, such as nginx?

It would allow you to issue/renew certificates without having to stop uvicorn, and Certbot could also automatically secure the virtualhost without you having to configure it.

It's not clear to me from uvicorn's HTTPS documentation whether it's even possible to bind to port 80 and 443 at once - there's only one --port option.

dylanweicker · November 14, 2022, 9:21pm

I'm not familiar with nginx.
Would this tutorial be sufficient for me to set it up on my server? How to setup an Nginx reverse proxy server example

I imagine I would then run my uvicorn app on port :8080 and then have my proxy_pass set like this to pass all requests through to it:

location \ {
    proxy_pass http://127.0.0.1:8080;
}

_az · November 14, 2022, 9:26pm

Yep! Something like:

server {
  listen 80;
  server_name  ai.qatalyst.ca www.ai.qatalyst.ca;
  location / {
    proxy_pass http://127.0.0.1:8080;
  }
}

Followed by:

sudo certbot --nginx -d ai.qatalyst.ca -d www.ai.qatalyst.ca

rg305 · November 15, 2022, 8:30am

Wouldn't that also require something like?:
uvicorn main:app --host 0.0.0.0 --port 443
[and the addition of the certificate to the configuration]

OR

A proxy in front of it [seems simpler to manage]

dylanweicker · November 15, 2022, 5:23pm

When I tried just running the uvicorn webserver on port 443, I couldn't get it to work.

But setting up a reverse proxy on Nginx and pointing it to uvicorn on port 8000 did work. Thanks for the help

system · December 15, 2022, 5:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.