Lets Encrypt With Django


#1

My domain is: www.shentaichiacademy.co.uk /

I ran this command: sudo certbot --apache

It produced this output:

My web server is (include version): Ubuntu 16.04

The operating system my web server runs on is (include version): Raspberry Pi

My hosting provider, if applicable, is: MySelf

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, Pysical Access

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No Need

I have installed https://pypi.org/project/django-letsencrypt/ which allows me to enter the ACME Challenge and Responce codes within my admin. The trouble is it doesn’t give me the codes to enter into the website before they are ran as a challenge. As django requires routing paths to be set up its not as simple as placing a text file on the root of the domain directory. I need to be able to add them to admin.

Can you advise a 3 fold way of doing this.

  1. I run a command to give me the codes to add to the site
  2. I go into my admin to add the codes
  3. I run a command that challeges my server for the codes

Regards, Stephen


#2

That’s two (almost) completely different domains.

Please give some details on those command lines.

Did you follow all the steps?
Include the letsencrypt in your project's urls.py, or where applicable (usually your root urls.py).
url(r'^\.well-known/', include('letsencrypt.urls'))

Show:
sudo certbot certificates


#3

I have two domains set up as vhosts.


#4

letsencript is set up correctly there is an admin function to enter the codes and they test when i navigate to the url.


#5

It’s kind of odd that this tool wants you to add the challenges manually—that doesn’t match very well with our image of how certificate renewal should be automated.

Probably the best match in Certbot for what you asked for would be to run sudo certbot -a manual -i apache. In that case it will stop and tell you the codes in question and wait for you to press enter to continue before asking the certificate authority to test the challenges.

However, it would be great if the Django integration tool provided some kind of API or script that would make the changes rather than having you have to do this manually in a web interface. (That could be compatible with automated, unattended renewal using certbot renew, which the -a manual approach won’t work with.) If you did have such a script, it could be possible to make it work using Certbot’s --auth-hook (which basically is meant to be used with -a manual to perform the challenge setup via a script).


#6

Thank you schoen, sounds like you understand the problem. I did run the certbot and it did manage to register a certificate without me using this tool. Probably through apache.conf injection or something.

But I am still having trouble with certbot throwing errors it tried to create a Deamon Group for SSL with same name as the one for HTTP which caused certbot to anounce Apache Errors and revert the set up. I managed to change the name on the SSL by adding -ssl to the end of the name and apache ran without errors again. But I still don’t have SSL running probably due to the revert. I did enable the ssl virtual host via bash but ssl is not working.

I wonder now that I have corrected the error in the vhost ssl setting wether I need to run certbot again some how to turn on ssl etc.

I did put the url routing in and I tested it with fake request and resonse, seemed to work okay but as you say renewal would be manual this way. So I will remove it at some time.

A bit about my set up. I have a 1and1 domain name “www.shentaichiacademy.co.uk” with CNAME set to “sbrown.tk” my raspberry pi in house. The raspberry pi has two vhosts one of wihch is “www.shentaichiacademy.co.uk”. I use FreeDNS my IP to Domain resolution with a crontab that updates FreeDNS and as you see I have a free Domain with .tk.

I cleaned everything up and re ran it…

root@web-server:/etc/apache2# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: shentaichiacademy.co.uk
2: www.shentaichiacademy.co.uk
3: archery-for.me.uk
4: www.archery-for.me.uk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.shentaichiacademy.co.uk
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/shentaichiacademy.co.uk.conf:
Name duplicates previous WSGI daemon definition.

Rolling back to previous server configuration…
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/shentaichiacademy.co.uk.conf:
Name duplicates previous WSGI daemon definition.

IMPORTANT NOTES:

  • We were unable to install your certificate, however, we
    successfully restored your server to its prior configuration.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.shentaichiacademy.co.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.shentaichiacademy.co.uk/privkey.pem
    Your cert will expire on 2018-08-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
    root@web-server:/etc/apache2# ls
    apache2.conf envvars mods-enabled sites-enabled
    conf-available magic ports.conf x
    conf-enabled mods-available sites-available
    root@web-server:/etc/apache2# cd sites-enabled/
    root@web-server:/etc/apache2/sites-enabled# ls
    000-default.conf archery-for.me.uk.conf shentaichiacademy.co.uk.conf
    root@web-server:/etc/apache2/sites-enabled# cd …
    root@web-server:/etc/apache2# cd sites-available/
    root@web-server:/etc/apache2/sites-available# ls
    000-default.conf archery-for.me.uk.conf shentaichiacademy.co.uk.conf
    root@web-server:/etc/apache2/sites-available#

Yet when I run service apache2 restart [NO Errors]

So my vhost starts

1:<VirtualHost *:80>
2: # The ServerName directive sets the request scheme, hostname and port t$
3: # the server uses to identify itself. This is used when creating
4: # redirection URLs. In the context of virtual hosts, the ServerName
5: # specifies what hostname must appear in the request’s Host: header to
6: # match this virtual host. For the default virtual host (this file) this
7: # value is not decisive as it is used as a last resort host regardless.
8: # However, you must set it for any further virtual host explicitly.
9:
10: ServerAdmin sdbrown67@googlemail.com
11: ServerName shentaichiacademy.co.uk
12: ServerAlias www.shentaichiacademy.co.uk
13:
14: ServerAdmin webmaster@localhost
15: DocumentRoot /home/manager/Websites/shen
16: WSGIScriptAlias / /home/manager/Websites/shen/shen/wsgi.py
17: WSGIDaemonProcess shentaichiacademy.co.uk python-path=/home/manager/Web$
18: WSGIProcessGroup shentaichiacademy.co.uk

So some how I need to change shentaichiacademy.co.uk in line 17 and 18 to shentaichiacademy.co.uk-ssl to get it to work as they need to be unique but certbot reverts everything back.

  • Any help appreciated.

#7

Because everything was rolled back:

If everything is in the default location, try to locate the conflicting entry with:
grep -Ri WSGIDaemonProcess /etc/apache2


#8

Those are seen as separate vhosts.
And yet you have this in one vhost file:

So there must be at least one other file with at least one of those names in it.


#9

Okay there is only 3 conf files in sites-enabled these are as follows. Yes there is a www.shentaichiacademy.co.uk alias is this the problem? Should I scrap it and make the ServerName www.domain name etc…?

000-default.conf

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

####archery-for.me.uk.conf #####

<VirtualHost *:80>
ServerAdmin sdbrown67@googlemail.com
ServerName archery-for.me.uk
ServerAlias www.archery-for.me.uk

DocumentRoot /home/manager/Websites/archery
WSGIScriptAlias / /home/manager/Websites/archery/archery/wsgi.py
WSGIDaemonProcess archery-for.me.uk python-path=/home/manager/Websites/archery
WSGIProcessGroup archery-for.me.uk

Alias /media/ /home/manager/Websites/archery/media/
Alias /static/ /home/manager/Websites/archery/static/

<Directory /home/manager/Websites/archery/media>
	Require all granted
</Directory>

<Directory /home/manager/Websites/archery/static>
	Require all granted
</Directory>

<Directory /home/manager/Websites/archery>
	<Files wsgi.py>
		Require all granted
	</Files>
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

shentaichiacademy.co.uk.conf

<VirtualHost *:80>
ServerAdmin sdbrown67@googlemail.com
ServerName shentaichiacademy.co.uk
ServerAlias www.shentaichiacademy.co.uk

DocumentRoot /home/manager/Websites/shen
WSGIScriptAlias / /home/manager/Websites/shen/shen/wsgi.py
WSGIDaemonProcess shentaichiacademy.co.uk python-path=/home/manager/Websites/shen
WSGIProcessGroup shentaichiacademy.co.uk

Alias /media/ /home/manager/Websites/shen/media/
Alias /static/ /home/manager/Websites/shen/static/

<Directory /home/manager/Websites/shen/media>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen/static>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen>
	<Files wsgi.py>
		Require all granted
	</Files>
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Tried removing the alias and using www. with domain name…

manager@web-server:/etc/apache2/sites-enabled$ sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: www.shentaichiacademy.co.uk
2: www.archery-for.me.uk

Select the appropriate numbers separated by commas and/or spaces, or leave i
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certife name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.shentaichiacademy.co.uk.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/shentaichiacademy.co.ukssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/shentaichiemy.co.uk-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/shentaichiacademy.co.u-ssl.conf
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/shentaichiaca.co.uk.conf:
Name duplicates previous WSGI daemon definition.

Rolling back to previous server configuration…
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/shentaichiaca.co.uk.conf:
Name duplicates previous WSGI daemon definition.

IMPORTANT NOTES:

  • We were unable to install your certificate, however, we
    successfully restored your server to its prior configuration.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.shentaichiacademy.co.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.shentaichiacademy.co.uk/privkey.pem
    Your cert will expire on 2018-08-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

Same Error?


#10

There’s an open bug regarding this:

I’m not sure what the best workaround is. Perhaps putting the WSGI settings in a different file, if possible, or using “certbot certonly --apache” and configuring Apache manually.


#11

More specifically, you need to move WSGIDaemonProcess (and other process-related directives like WSGIProcessGroup, if they exist) outside the VirtualHost, and leave only WSGIScriptAlias and other path-related directives inside the VirtualHost.


#12

So the safest way is to comment out these lines for Daemon before running certbot and then put them back in making sure they don’t conflict by putting -ssl on the end for the ssl daemons?


#13

I tried commenting it out running the certbot and then uncommenting and changing the deamon so that they dont clash.

certbot ran successfully.
server restarted ok.

https://www.shentaichiacademy.co.uk
No go, damb!

The file that it created and the modified WSGIDaemonProcess and WSGIProcessGroup I reenabled with a diffrent name.

<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerAdmin sdbrown67@googlemail.com
ServerName www.shentaichiacademy.co.uk
#ServerAlias www.shentaichiacademy.co.uk

DocumentRoot /home/manager/Websites/shen

WSGIScriptAlias / /home/manager/Websites/shen/shen/wsgi.py
WSGIDaemonProcess shentaichiacademy.co.uk-le-ssl python-path=/home/manager/Websites/shen
WSGIProcessGroup shentaichiacademy.co.uk-le-ssl

Alias /media/ /home/manager/Websites/shen/media/
Alias /static/ /home/manager/Websites/shen/static/

<Directory /home/manager/Websites/shen/media>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen/static>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen>
	<Files wsgi.py>
		Require all granted
	</Files>
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/www.shentaichiacademy.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.shentaichiacademy.co.uk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

#14

Does this mean I’m getting close?

Can’t connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.


#15

That comment really doesn’t change anything; as the name is just repeated there.

Please show:
grep -Eri 'servername|serveralias|virtualhost' /etc/apache2


#16

ServerName was originally shentaichiacademy.co.uk
I commented out the Alias and added the www to the Server name.

manager@web-server:/etc/apache2/sites-enabled$ grep -Eri ‘servername|serveralias|virtualhost’ /etc/apache2
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status
/etc/apache2/ports.conf:# have to change the VirtualHost statement in
/etc/apache2/apache2.conf:# If you do not specify an ErrorLog directive within a
/etc/apache2/apache2.conf:# logged here. If you do define an error logfile for a
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf:<VirtualHost *:443>
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf: ServerName www.shentaichiacademy.co.uk
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf:
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf:<VirtualHost *:80>
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf: # The ServerNam directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf: ServerName www.shentaichiacademy.co.uk
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf: #ServerAlias www.shentaichiacademy.co.uk
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf:
/etc/apache2/sites-available/archery-for.me.uk.conf:<VirtualHost *:80>
/etc/apache2/sites-available/archery-for.me.uk.conf: ServerName www.archery-for.me.uk
/etc/apache2/sites-available/archery-for.me.uk.conf: #ServerAlias www.archery-for.me.uk
/etc/apache2/sites-available/archery-for.me.uk.conf:
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf:
/etc/apache2/conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis. If you include the Alias in the global server
/etc/apache2/conf-available/other-vhosts-access-log.conf:# Define an access log for VirtualHosts that don’t define their own logfile


#17

OK, Lets see these two files:
/etc/apache2/sites-available/shentaichiacademy.co.uk.conf
/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf


#18

/etc/apache2/sites-available/shentaichiacademy.co.uk.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerAdmin sdbrown67@googlemail.com
ServerName www.shentaichiacademy.co.uk
#ServerAlias www.shentaichiacademy.co.uk

DocumentRoot /home/manager/Websites/shen

WSGIScriptAlias / /home/manager/Websites/shen/shen/wsgi.py
WSGIDaemonProcess shentaichiacademy.co.uk python-path=/home/manager/Websites/shen
WSGIProcessGroup shentaichiacademy.co.uk

Alias /media/ /home/manager/Websites/shen/media/
Alias /static/ /home/manager/Websites/shen/static/

<Directory /home/manager/Websites/shen/media>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen/static>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen>
	<Files wsgi.py>
		Require all granted
	</Files>
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

/etc/apache2/sites-available/shentaichiacademy.co.uk-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerAdmin sdbrown67@googlemail.com
ServerName www.shentaichiacademy.co.uk

DocumentRoot /home/manager/Websites/shen

WSGIScriptAlias / /home/manager/Websites/shen/shen/wsgi.py
WSGIDaemonProcess shentaichiacademy.co.uk-ssl python-path=/home/manager/Websites/shen
WSGIProcessGroup shentaichiacademy.co.uk-ssl

Alias /media/ /home/manager/Websites/shen/media/
Alias /static/ /home/manager/Websites/shen/static/

<Directory /home/manager/Websites/shen/media>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen/static>
	Require all granted
</Directory>

<Directory /home/manager/Websites/shen>
	<Files wsgi.py>
		Require all granted
	</Files>
</Directory>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
    
    SSLCertificateFile /etc/letsencrypt/live/www.shentaichiacademy.co.uk/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.shentaichiacademy.co.uk/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

#19

They both only have one name.
You could add to both:
ServerAlias shentaichiacademy.co.uk

And they both contain:

Not 100% certain, but I’m thinking if you # them out of the port 80 vhost.
restart web service and all works (better).
Then you can just redirect http to https and handle your site entirely from there.


#20

I put the ServerAlias’s back in without www
And disabled the…

WSGIScriptAlias
WSGIDaemonProcess
WSGIProcessGroup

in port 80 vhost

restarted the server…

And neither http or https worked.

:frowning: