Let's Encrypt installation fails with WSGI on Ubuntu 14 LTS

[Moreplavec]

I'm trying to install SSL certificate with Let's encrypt on my VPS running Apache + WSGI.

I'm following guide: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

It works fine for all PHP sites, but i get an error when trying to install SSL for Django app. I think the problem is, that SSL cert conf is made as duplicate or currect conf file, so apache configtest fails and whole instalation is reverted:

command: certbot-auto --apache -d django.my-domain.cz

Created an SSL vhost at /etc/apache2/sites-available/my-domain.cz_crm-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/my-domain.cz_crm-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/my-domain.cz_crm-le-ssl.conf
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 26 of /etc/apache2/sites-enabled/my-domain.cz_crm.conf:
Name duplicates previous WSGI daemon definition.

Rolling back to previous server configuration...
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 26 of /etc/apache2/sites-enabled/my-domain.cz_crm.conf:
Name duplicates previous WSGI daemon definition.

Lines about WSGI config looks like:

WSGIDaemonProcess vkcrm python-path=/var/www/virtual/django/vkcrm:/var/www/virtual/django/lib/python3.4/site-packages
WSGIProcessGroup vkcrm
WSGIScriptAlias / /var/www/virtual/django/vkcrm/vkcrm/wsgi.py

Does anybody know how to fix installation process or my config about WSGI daemon? Thanks!

[Melvyn Sopacua]

On Friday 24 March 2017 15:22:40 Moreplavec wrote:

> I'm trying to install SSL certificate with Let's encrypt on my VPS

> running Apache + WSGI.

>

> I'm following guide:

> https://www.digitalocean.com/community/tutorials/how-to-secure-apache

> -with-let-s-encrypt-on-ubuntu-14-04

>

> It works fine for all PHP sites, but i get an error when trying to

> install SSL for Django app. I think the problem is, that SSL cert

> conf is made as duplicate or currect conf file

 

Yes, it is. So from the mod_wsgi docs, or mod_wsgi list, you should inquire how to "use a previously defined WSGIDaemonProcess in a virtual host". Then keep the definition out of the the vhost file and have it included somewhere sooner.

 

(Or use a different letsencrypt client that doesn't fiddle with webserver configs, and reference files using a good naming convention).

--

Melvyn Sopacua

[Michal Petrucha]

On Fri, Mar 24, 2017 at 03:22:40PM -0700, Moreplavec wrote:
> I'm trying to install SSL certificate with Let's encrypt on my VPS running
> Apache + WSGI.
>
> I'm following guide:
> https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
>
> It works fine for all PHP sites, but i get an error when trying to install
> SSL for Django app. I think the problem is, that SSL cert conf is made as
> duplicate or currect conf file, so apache configtest fails and whole
> instalation is reverted:
>

> command: *certbot-auto --apache -d django.my-domain.cz*

Personally I'd recommend that you move away from the automagic
features of certbot that mess around with your config files, and just
configure your webserver manually to serve ACME challenges, and
otherwise fall back to whatever it is supposed to do (like proxy to
your application server), and use certbot in its webroot mode which
just puts the correct file in a location of your choice without any
config changes of anything.

With nginx, the correct arcane incantation would be to use something
like

root /var/www/acme;
try_files $uri @wsgi_upstream;

I'm pretty sure you can create an equivalent configuration with apache
somehow, maybe using mod_rewrite or something.

The advantage of using a static configuration like this, rather than
letting certbot change the httpd config on each run, is that there are
fewer moving parts, there's no risk that the config automagic won't
work with the config directives used in your particular config,
there's no need to reload the webserver on each run, and in general, I
personally distrust any magic that messes with my configuration.

Good luck,

Michal

[Andreas Schosser]

Hi Moreplavec

> AH00526: Syntax error on line 26 of /etc/apache2/sites-enabled/my-domain.
> cz_crm.conf:
> Name duplicates previous WSGI daemon definition.

I had a similar issue on one of our servers. Since we enforce https I
just commented out the following directives in the original conf and
enabled them afterwards in the le-ssl.conf:

WSGIScriptAlias
WSGIDaemonProcess
WSGIProcessGroup

Hope this helps,
Andreas

--
Kurs 10 IT-Consulting www.kurs-10.de
Andreas Schosser a...@kurs-10.de

Baldestraße. 14 Telefon +49 89 41615842-0
80469 München Telefax +49 89 41615842-3

0x6EDECCF1 - 2AA0 939B 5585 819B FCE8 E43B 0B8E 0DF2 6EDE CCF1