Unable to run Django application on modwsgi apache server using https and ssl configuration

43 views
Skip to first unread message

Shetu

unread,
Nov 19, 2021, 1:38:17 AM11/19/21
to modwsgi
Hi Graham,

I am using modwsgi express to run my Django application on mod_wsgi Apache server. I am not able to start my server on https port although it works on http port.

This is the command I used to start the server(mentioned only https and ssl parameters)

./manage.py runmodwsgi --https-only --https-port 8443
--ssl-certificate-key-file /apps/django_app/keystore/server_name.keystore
--ssl-certificate-file /apps/django_app/keystore/server_name.crt

Please let me know where I may be going wrong.

Regards,
Shetu


Graham Dumpleton

unread,
Nov 19, 2021, 1:40:21 AM11/19/21
to mod...@googlegroups.com
What are the error messages you are getting and where?

Also be aware you must supply the --server-name option with the hostname of the site which matches what you set in the certificate.

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com.

Shetu

unread,
Nov 19, 2021, 2:05:13 AM11/19/21
to modwsgi
Getting these errors :-
  [Fri Nov 19 06:57:36 2021] [ip AH02203: Init: Private key not found
[Fri Nov 19 06:57:36 2021] [ip SSL Library Error: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Fri Nov 19 06:57:36.717374 2021] [ssl:emerg] [pid 12557:tid 139779757414208] AH02312: Fatal error initialising mod_ssl, exiting.
 

I have also added the server name in the command

Graham Dumpleton

unread,
Nov 19, 2021, 2:08:14 AM11/19/21
to mod...@googlegroups.com
Are you sure you are using the correct file for the private key? I have never seen a convention of the private key file having a '.keystore' extension. Would usually be a .pem file extension.

Graham

Shetu

unread,
Nov 19, 2021, 2:16:42 AM11/19/21
to modwsgi
I have the following set of keys and certificates which I got from the certificate authority:-

host_name.csr
server_name.crt
Intermediate-CA.pem
ROOT-CA.pem
host_name.keystore.original
host_name.keystore

I have set the key file as the .pem file but still getting this error:-

[Fri Nov 19 07:10:33 2021] [ip AH02203: Init: Private key not found
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Fri Nov 19 07:10:33.592064 2021] [ssl:emerg] [pid 18369:tid 140598354167616] AH02312: Fatal error initialising mod_ssl, exiting.



Graham Dumpleton

unread,
Nov 19, 2021, 2:29:09 AM11/19/21
to mod...@googlegroups.com
It is not uncommon to have files in a different format to what is required and you need to convert and even possibly extract out just the private key from a file which contains multiple things. You are going to need to look at docs for your certificate authority to understand what is the private key or how to extract/convert it to what Apache wants from what you have been given.

You want the file necessary for SSLCertificateKeyFile directive in Apache.


Graham

Shetu

unread,
Nov 22, 2021, 12:34:49 AM11/22/21
to modwsgi
Hi Graham,

I extracted the private key into .key file. The application is running on www.server_name.com:8443. I added --host parameter also to the mod_wsgi startup command to see whether it runs or not on https port if I use ip address of the server instead of server_name in the url but it does not work. I am getting this warning in the logs:-

[Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for 0.0.0.0:8443 does NOT include an ID which matches the server name
[Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Nov 22 05:16:19 2021] [ip AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for 0.0.0.0:8443 does NOT include an ID which matches the server name
[Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Nov 22 05:16:19 2021] [ip AH00489: Apache/2.4.46 (Unix) mod_wsgi/4.7.1 Python/3.6 OpenSSL/1.0.2k-fips configured -- resuming normal operations

Here is the mod_wsgi startup command:-

/manage.py runmodwsgi --https-only --https-port 8443 --host 0.0.0.0 --server-name my_server_name.com --ssl-certificate-key-file /apps/django_app/keystore/host_name.key --ssl-certificate-file /apps/django_app/keystore/server_name.crt

Will this configuration work if I assign a DNS to this host or do I need to add some more configuration here since it does not work with ip address? Also if I remove --server-name from the command and just keep --host, it does not work.

Regards,
Shetu


Graham Dumpleton

unread,
Nov 22, 2021, 12:43:21 AM11/22/21
to mod...@googlegroups.com
And what happens if you use:

/manage.py runmodwsgi --https-only --https-port 8443 --server-name my_server_name.com --ssl-certificate-key-file /apps/django_app/keystore/host_name.key --ssl-certificate-file /apps/django_app/keystore/server_name.crt

The --host argument shouldn't be necessary as it would listen on all host interfaces anyway.

If you still get warning:

> RSA certificate configured for ?.?.?.?:8443 does NOT include an ID which matches the server name

it would suggest the certificate you were given is not for the host "my_server_name.com" that you are giving as argument to --server-name.

Shetu

unread,
Nov 22, 2021, 1:24:03 AM11/22/21
to modwsgi
If I remove host parameter, the application still runs on www.server_name.com:8443 and I still get the warning:-
--> RSA certificate configured for ?.?.?.?:8443 does NOT include an ID which matches the server name

Shetu

unread,
Nov 22, 2021, 1:27:23 AM11/22/21
to modwsgi
Is there a parameter in mod_wsgi coomand using which I can redirect a http connection to a https one because --https-only command doesn't do so?

Graham Dumpleton

unread,
Nov 22, 2021, 1:27:35 AM11/22/21
to mod...@googlegroups.com
Verify what hostname is set in the certificate.


Probably the "Subject Alternative Name" setting, but then I am not an expert on how these things are supposed to look, so that is a guess.

Shetu

unread,
Nov 22, 2021, 1:48:21 AM11/22/21
to modwsgi
I verified the server name in the certificate and it is correct

Graham Dumpleton

unread,
Nov 22, 2021, 2:23:12 AM11/22/21
to mod...@googlegroups.com
Another way to verify is shown in:


    openssl x509 -in server.crt -noout -subject

Does that also confirm the expected value?

Also, what happens if you use standard https port of 443 rather than 8443?

Also do a Google search for other ideas, by searching for:

    AH01909 RSA certificate configured for does NOT include an ID which matches the server name

Finally, what happens if you actually try and access the web site? I don't recollect you saying even what happens if you do.

Graham

Graham Dumpleton

unread,
Nov 22, 2021, 2:26:50 AM11/22/21
to mod...@googlegroups.com
Since you were given a CA file, you might even need to use that as well using the --ssl-ca-certificate-file option at same time as other options. If the CA issuer wasn't a public authority that could be required.

This is for self signed and thus where need the CA, but example in:

Shetu

unread,
Nov 22, 2021, 6:05:33 AM11/22/21
to modwsgi
I verified the server name with the following command:- openssl x509 -in server.crt -noout -subject
and it was correct. If I try to use 443 instead of 8443, the server doesn't start and I get this error:-Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:443 
although no other application runs on port 443. And even if I try to use --ssl-ca-certificate-file parameter, it does not change anything and the certificate is not self signed. I still get this AH01909 RSA certificate configured for does NOT include an ID which matches the server name

As said before, the website is running on https port 8443 with url as server name.
Reply all
Reply to author
Forward
0 new messages