Answer the question
In order to leave comments, you need to log in
F
F
FRANZEE2018-03-28 12:18:31
FRANZEE, 2018-03-28 12:18:31
How to connect HTTPS to NGINX + Gunicorn + Flask?
There is a VPS with several sites on Flask, nginx config:
server {
listen 80;
server_name sitename.ru www.sitename.ru;
location /.well-known {
root /home/username/sites/sitename.ru/flask_app/templates;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/username/sites/sitename.ru/flask_app/sitename.sock;
}
}followed this tutorial - https://www.digitalocean.com/community/tutorials/h...
Now I have no idea how to enable HTTPS using certbot https://certbot.eff.org/ ???
I tried a bunch of tutorials, but apparently I'm so crooked (((.
added to Flask
# wildcard route for ssl verification
@app.route('/', defaults={'path': ''})
@app.route('/.well-known/<path:path>')
def ssl_cert(path):
return render_template('.well-known/' + path)I created a test page with this directory
127.0.0.1:5000/.well-known/test.html
working
Let's say this tutorial - https://habrahabr.ru/post/318952/
I have a problem with obtaining certificates after the
certbot certonly command -- dry-run -d example.com -d www.example.com
sudo certbot certonly --dry-run -d sitename.ru -d www.sitename.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sitename.ru
http-01 challenge for www.sitename.ru
Input the webroot for sitename.ru: (Enter 'c' to cancel): /home/username/sites/sitename.ru/flask_app/templates/.well-known
Select the webroot for www.sitename.ru:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /home/username/sites/sitename.ru/flask_app/templates/.well-known
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.sitename.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sitename.ru/.well-known/acme-challenge/2E4cltwPGNZR-Z5lJZfYES5q0fQPCyg6mbtaJNccp-A: "\ufeff<!DOCTYPE html>
<meta charset="utf-8">
<html lang="ru">
<head>
<title>\u041e\u0410\u041e \xab\u0411\u0430\u0437\u043e\u0432\u044b\u0435 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0438\xbb ", sitename.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sitename.ru/.well-known/acme-challenge/ipbROalh3pstmv_4wA0EzgO0nu8zAk3Hf06k0Wu8bYc: "\ufeff<!DOCTYPE html>
<meta charset="utf-8">
<html lang="ru">
<head>
<title>\u041e\u0410\u041e \xab\u0411\u0430\u0437\u043e\u0432\u044b\u0435 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0438\xbb "
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.sitename.ru
Type: unauthorized
Detail: Invalid response from
http://www.sitename.ru/.well-known/acme-challenge/2E4cltwPGNZR-Z5lJZfYES5q0fQPCyg6mbtaJNccp-A:
"<!DOCTYPE html>
<meta charset="utf-8">
<html lang="ru">
<head>
<title>Welcome to site "
Domain: sitename.ru
Type: unauthorized
Detail: Invalid response from
http://sitename.ru/.well-known/acme-challenge/ipbROalh3pstmv_4wA0EzgO0nu8zAk3Hf06k0Wu8bYc:
"<!DOCTYPE html>
<meta charset="utf-8">
<html lang="ru">
<head>
<title>Welcome to site "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.letsencrypt.log
https://pastebin.com/bJmcz4X7
Please give me a hint.
1 answer(s)
@Maksimkk
Next, in certbot we specify
This method does not affect the server itself in any way when renewing the certificate.
There is an official configuration manual that generates its own config for nginx. https://certbot.eff.org
M
Maksimkk, 2018-06-21 @Maksimkk
Everything is done using nginx.
server {
listen 443 ssl http2;
keepalive_timeout 70;
server_name ...;
ssl_certificate /etc/letsencrypt/live/.../fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhpdo.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header Access-Control-Allow-Origin *;
location / {
uwsgi_pass unix:///run/uwsgi/app/path/socket;
include uwsgi_params;
uwsgi_read_timeout 600;
}
location /static/ {
alias /var/web/static/;
expires 30h; # кешируем в браузере на 30 часов
}
location /.well-known/ {
alias /tmp/.well-known/;
expires 0;
}
access_log /var/log/nginx/name.access.log;
error_log /var/log/nginx/name.error.log;
}Next, in certbot we specify
This method does not affect the server itself in any way when renewing the certificate.
There is an official configuration manual that generates its own config for nginx. https://certbot.eff.org
Similar questions
I
M
S
M
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question