under ubuntu 22.04.05 were using python3.10 with gunicorn and letsencrypt on ports between 15000 and 30000. this ist only for students.
using
/usr/bin/gunicorn3 --keyfile=privkey.pem --certfile=fullchain.pem --bind 0.0.0.0:15555 auth:app
the connection is secured (we've the group permission for privkey set to "r" and put the students in the group)
after an inplace upgrade to 24.04.2 (python 3.12 - same gunicorn version) the secure connection fails with SSL_ERROR_RX_RECORD_TOO_LONG
and i cannot find any hint whats wrong!
i started gunicorn in debug mode and the output shows no difference in 22.04 and 24.04.
in the debug file the keyfile and cerfile are mentioned so i guess they are read.
I'm not convinced this is a Let's Encrypt issue at all (the cert and key haven't changed), but most likely an implementation problem at Gunicorns side.
What's the exactcurl command and the exact gunicorn command at that point? With their exact outputs?
OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
Closing connection
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
thats all I got from curl (as i wrote under 22.04.5 i got an secure connection)
as i learned there seems no way to upgrade the gunicorn version on ubuntu to 23.0
Well, wrong version number is something different than "SSL_ERROR_RX_RECORD_TOO_LONG" I guess.
I just downgraded my Gunicorn 23.0.0 from the Gentoo repository to your 20.1.0 using pip and now I'm getting errors too..?
Looks like something is horribly broken in Gunicorn 20.1.0.. When I run a pip install --upgrade gunicorn from the venv, everything works again suddenly.
Sure it is, just run it in a Python virtual environment (venv). Not ideal (makes maintenance a little bit more difficult, as it's not handled by the Ubuntu packaging system), but lets you run the most recent version.
Also, these older versions of Gunicorn seem to be suffering from security flaws, which were fixed in more recent versions.. Do you have these things connected to the public internet?
A quick comments, in addition to the excellent ones above:
gunicorn, uwsgi, etc servers should always be installed via the virtualenv for your Python app. This isn't unique to ubuntu deployments, but for every linux distribution. The same holds true for every library in your application. The reason is due to a mix of being current, but also being able to use version pinning and keep your application fully independent of the server architecture.
Are you terminating SSL on gunicorn for a specific reason, or is this an artifact from some departmental allocation policy on this sever? Given the higher ports, I assume this traffic is proxied - but if not a standard practice is to have something that handles high concurrency (like nginx) be the "public" connection for the appserver, and it is often easier to terminate SSL on that while you're at it.
Well, I didn't really go into this, because I read "this ist only for students" and I assumed this was for some kind of IT course to learn stuff about this. Not really for production environments. But I could be wrong of course
I was split between thinking the setup is because of that, but also knowing how F'd-Up a lot of institutional computing systems are when it comes to provisioning server resources.
