Problems with SSL
88 views
Skip to first unread message
Licht Artig
Jul 28, 2020, 5:43:20 PM7/28/20
to modwsgi
Hi,
I can acces the demo page (the one with the "malt whiskey") without problems, but things go wrong when I add HTTPS.
and no errors come up initally.
I am guessing there is probably a very simple fix for this, but I can't get my head around it. So any help is greatly appreciated! Thanks in advance!
I'm currently trying to configure mod_wsgi-express to run a website I'm developing in HTTP and HTTPS. After struggling for some time, I noticed that the problem also occurs for the demo-page that comes with the tool.
So let me describe the error in more detail with this minimal-example.
If I run the command
mod_wsgi-express start-serverSo I'm starting the server with
mod_wsgi-express --https-port 8443 --ssl-certificate-file=/home/pi/keys/server.crt --ssl-certificate-key-file=/home/pi/keys/server.key --server-name localhost But if I try to access the site either at its unencrypted location at http://localhost:8000/ or the encrypted site at https://localhost:8443/, I get the following error:
403 Forbidden - You don't have permission to access this resource.Addtionally I printed out the error-log and found the following error
AH01630: client denied by server configuration: /tmp/mod_wsgi-localhost:8000:1000/htdocs/
I am guessing there is probably a very simple fix for this, but I can't get my head around it. So any help is greatly appreciated! Thanks in advance!
PS: I tried this both on my Ubuntu computer as well as my RaspberryPi. The error is the same.
Graham Dumpleton
Jul 28, 2020, 5:47:26 PM7/28/20
to mod...@googlegroups.com
If you are using a certificate, the --server-name should be the name of the host the certificate is for. A secure site and certificate shouldn't be set up for localhost.
If for some reason you do need to be able to access a secure site via localhost, even though that would then mean the certificate wouldn't be trusted, try adding the option '--allow-localhost'.
The help string for the option is:
Flag indicating whether access via localhost should still be allowed when a server name has been specified and a name based virtual host has been configured.
Graham
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/02cb86f5-c7b2-4aa7-bff6-c041a5d46e20o%40googlegroups.com.
Licht Artig
Jul 28, 2020, 5:54:40 PM7/28/20
to mod...@googlegroups.com
Hi Graham,
thanks for your quick reply! Right now I'm simply trying out things, so the certificate is not trusted anyways. I tried adding your option '--allow-localhost', but the error persists. So no matter if I connect to HTTP on port 8000 or HTTPS on port 8443, I get the same error 403.
Do you have any idea what I'm doing wrong?
Do you have any idea what I'm doing wrong?
Best
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/77C55ECF-A34A-4AC0-8C8B-CBC5527D2BDC%40gmail.com.
Graham Dumpleton
Jul 28, 2020, 6:00:15 PM7/28/20
to mod...@googlegroups.com
Just don't set 'localhost' as argument to '--server-name'. Try using:
--server-name 127.0.0.1.nip.io --allow-localhost
Try accessing it with both http://127.0.0.1.nip.io and http://localhost.
Using 'localhost' is going to cause issues with Apache because it usually doesn't allow/honour use of 'localhost' as ServerName in a VirtualHost.
If you don't know what nip.io is, go to:
to find out.
Graham
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/CA%2B%2BvfrsJQHkmTyDrYxoMOAP2mA82MLQ6Mw0GsG8V11ekXgrQUQ%40mail.gmail.com.
Licht Artig
Jul 28, 2020, 6:09:44 PM7/28/20
to modwsgi
Okay, that did the trick. Thanks so much for walking me through this; I realize this has been a basic question.
Also many thanks for putting together mod_wsgi!
Am Mittwoch, 29. Juli 2020 00:00:15 UTC+2 schrieb Graham Dumpleton:
Just don't set 'localhost' as argument to '--server-name'. Try using:--server-name 127.0.0.1.nip.io --allow-localhostTry accessing it with both http://127.0.0.1.nip.io and http://localhost.
Using 'localhost' is going to cause issues with Apache because it usually doesn't allow/honour use of 'localhost' as ServerName in a VirtualHost.If you don't know what nip.io is, go to:to find out.Graham
On 29 Jul 2020, at 7:54 am, Licht Artig <taquion...@gmail.com> wrote:
Hi Graham,thanks for your quick reply! Right now I'm simply trying out things, so the certificate is not trusted anyways. I tried adding your option '--allow-localhost', but the error persists. So no matter if I connect to HTTP on port 8000 or HTTPS on port 8443, I get the same error 403.
Do you have any idea what I'm doing wrong?Best
Am Di., 28. Juli 2020 um 23:47 Uhr schrieb Graham Dumpleton <graham....@gmail.com>:
If you are using a certificate, the --server-name should be the name of the host the certificate is for. A secure site and certificate shouldn't be set up for localhost.If for some reason you do need to be able to access a secure site via localhost, even though that would then mean the certificate wouldn't be trusted, try adding the option '--allow-localhost'.The help string for the option is:Flag indicating whether access via localhost should still be allowed when a server name has been specified and a name based virtual host has been configured.Graham
On 29 Jul 2020, at 4:25 am, Licht Artig <taquion...@gmail.com> wrote:
Hi,I'm currently trying to configure mod_wsgi-express to run a website I'm developing in HTTP and HTTPS. After struggling for some time, I noticed that the problem also occurs for the demo-page that comes with the tool.So let me describe the error in more detail with this minimal-example.If I run the commandI can acces the demo page (the one with the "malt whiskey") without problems, but things go wrong when I add HTTPS.
I am guessing there is probably a very simple fix for this, but I can't get my head around it. So any help is greatly appreciated! Thanks in advance!PS: I tried this both on my Ubuntu computer as well as my RaspberryPi. The error is the same.--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/02cb86f5-c7b2-4aa7-bff6-c041a5d46e20o%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/77C55ECF-A34A-4AC0-8C8B-CBC5527D2BDC%40gmail.com.
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod...@googlegroups.com.
Graham Dumpleton
Jul 28, 2020, 6:11:50 PM7/28/20
to mod...@googlegroups.com
It isn't a basic question. It is an obscure corner case about how Apache works that pretty well no one would realise. It has only come up a few times before.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/d93e981b-d1bd-4bd0-aecd-5db229fac64do%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages