Configure lets encrypt in wsgiref?

I'm using the python wsgiref module with the simple server to run an application. How do I configure lets encrypt to be able to run the application on https ?

My domain is:

I ran this command:
not yet

It produced this output:
not yet

My web server is (include version):
Module python ( wsgiref )

The operating system my web server runs on is (include version):
Linux : Debian Buster

My hosting provider, if applicable, is:
Microsoft Azure ( VM )

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

1 Like

It's usually best to run WSGI applications behind another webserver, like nginx or Apache.

You can configure nginx to proxy requests to your WSGI application.

There's two big benefits to doing so:

  1. You can restart your webserver and renew your certificate without having to kill your entire Python application
  2. You can benefit from software like Certbot being able to automatically configure nginx with an SSL certificate.

That said, it's usually possible to add some code that will make your Python application serve HTTPS traffic directly, but you will need to check the API documentation of wsgiref for that.


Adding to what @_az said:

  • I'm a fan of uWSGI+nginx for serving Python wsgi applications: Quickstart for Python/WSGI applications — uWSGI 2.0 documentation

  • Certbot does not support WSGI servers directly. You will have to do the following to obtain a LetsEncrypt certificate, and then install it into your Python application:

    • Run Certbot in standalone mode on Port80
    • Run Certbot in standalone mode on a higher port, proxy traffic to /.well-known/acme-challege/ on Port80 to the higher port
  • My personal preference is to run Python applications on uWSGI+nginx, terminate ssl on nginx, have nginx proxy the well-known traffic to a higher port so Certbot can obtain/renew certificates, and use certbot hooks to issue a graceful restart to nginx. That results in zero downtime and one of the fastest and most-memory efficient Python deployments.

1 Like

For security reasons, linux doesn't allow access to port 80 not even to answer http requests (for security reasons). To work around I had to use iptables redirection rule to meet the http requests from port 80 to another port. How would it be to configure certbot in this case ?

1 Like

The --http-01-port=x flag will let Certbot listen for requests on a higher port, x. You still need to route Port 80 traffic to x, as LetsEncrypt requires a request/response on Port 80. if you can't do that, the DNS-01 challenge should be used.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.