Is there a parameter in mod_wsgi coomand using which I can redirect a http connection to a https one because --https-only command doesn't do so?
On Monday, November 22, 2021 at 11:54:03 AM UTC+5:30 Shetu wrote: > If I remove host parameter, the application still runs on > www.server_name.com:8443 and I still get the warning:- > --> RSA certificate configured for ?.?.?.?:8443 does NOT include an ID > which matches the server name > > > On Monday, November 22, 2021 at 11:13:21 AM UTC+5:30 Graham Dumpleton > wrote: > >> And what happens if you use: >> >> */manage.py runmodwsgi --https-only --https-port 8443 >> --server-name my_server_name.com >> <http://my_server_name.com> --ssl-certificate-key-file >> /apps/django_app/keystore/host_name.key --ssl-certificate-file >> /apps/django_app/keystore/server_name.crt* >> >> The --host argument shouldn't be necessary as it would listen on all host >> interfaces anyway. >> >> If you still get warning: >> >> > RSA certificate configured for ?.?.?.?:8443 does NOT include an ID >> which matches the server name >> >> it would suggest the certificate you were given is not for the host " >> my_server_name.com" that you are giving as argument to --server-name. >> >> On 22 Nov 2021, at 4:34 pm, Shetu <[email protected]> wrote: >> >> Hi Graham, >> >> I extracted the private key into .key file. The application is running on >> www.server_name.com:8443. I added --host parameter also to the mod_wsgi >> startup command to see whether it runs or not on https port if I use ip >> address of the server instead of server_name in the url but it does not >> work. I am getting this warning in the logs:- >> >> *[Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for >> 0.0.0.0:8443 <http://0.0.0.0:8443> does NOT include an ID which matches the >> server name* >> *[Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual >> hosts only work for clients with TLS server name indication support (RFC >> 4366)* >> *[Mon Nov 22 05:16:19 2021] [ip AH01873: Init: Session Cache is not >> configured [hint: SSLSessionCache]* >> *[Mon Nov 22 05:16:19 2021] [ip AH01909: RSA certificate configured for >> 0.0.0.0:8443 <http://0.0.0.0:8443> does NOT include an ID which matches the >> server name* >> *[Mon Nov 22 05:16:19 2021] [ip AH02292: Init: Name-based SSL virtual >> hosts only work for clients with TLS server name indication support (RFC >> 4366)* >> *[Mon Nov 22 05:16:19 2021] [ip AH00489: Apache/2.4.46 (Unix) >> mod_wsgi/4.7.1 Python/3.6 OpenSSL/1.0.2k-fips configured -- resuming normal >> operations* >> >> Here is the mod_wsgi startup command:- >> >> */manage.py runmodwsgi --https-only --https-port 8443 --host 0.0.0.0 >> --server-name my_server_name.com >> <http://my_server_name.com/> --ssl-certificate-key-file >> /apps/django_app/keystore/host_name.key --ssl-certificate-file >> /apps/django_app/keystore/server_name.crt* >> >> Will this configuration work if I assign a DNS to this host or do I need >> to add some more configuration here since it does not work with ip address? >> Also if I remove --server-name from the command and just keep --host, it >> does not work. >> >> Regards, >> Shetu >> >> >> On Friday, November 19, 2021 at 12:59:09 PM UTC+5:30 Graham Dumpleton >> wrote: >> >>> It is not uncommon to have files in a different format to what is >>> required and you need to convert and even possibly extract out just the >>> private key from a file which contains multiple things. You are going to >>> need to look at docs for your certificate authority to understand what is >>> the private key or how to extract/convert it to what Apache wants from what >>> you have been given. >>> >>> You want the file necessary for SSLCertificateKeyFile directive in >>> Apache. >>> >>> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile >>> >>> Graham >>> >>> On 19 Nov 2021, at 6:16 pm, Shetu <[email protected]> wrote: >>> >>> I have the following set of keys and certificates which I got from the >>> certificate authority:- >>> >>> *host_name.csr* >>> *server_name.crt* >>> *Intermediate-CA.pem* >>> *ROOT-CA.pem* >>> *host_name.keystore.original* >>> *host_name.keystore* >>> >>> I have set the key file as the .pem file but still getting this error:- >>> >>> *[Fri Nov 19 07:10:33 2021] [ip AH02203: Init: Private key not found* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>> encoding routines:ASN1_CHECK_TLEN:wrong tag* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D08303A:asn1 >>> encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>> encoding routines:ASN1_CHECK_TLEN:wrong tag* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 >>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:04093004:rsa >>> routines:OLD_RSA_PRIV_DECODE:RSA lib* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D0680A8:asn1 >>> encoding routines:ASN1_CHECK_TLEN:wrong tag* >>> *[Fri Nov 19 07:10:33 2021] [ip SSL Library Error: error:0D07803A:asn1 >>> encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error >>> (Type=PKCS8_PRIV_KEY_INFO)* >>> *[Fri Nov 19 07:10:33.592064 2021] [ssl:emerg] [pid 18369:tid >>> 140598354167616] AH02312: Fatal error initialising mod_ssl, exiting.* >>> >>> >>> >>> On Friday, November 19, 2021 at 12:38:14 PM UTC+5:30 Graham Dumpleton >>> wrote: >>> >>>> Are you sure you are using the correct file for the private key? I have >>>> never seen a convention of the private key file having a '.keystore' >>>> extension. Would usually be a .pem file extension. >>>> >>>> Graham >>>> >>>> On 19 Nov 2021, at 6:05 pm, Shetu <[email protected]> wrote: >>>> >>>> Getting these errors :- >>>> *[Fri Nov 19 06:57:36 2021] [ip AH02203: Init: Private key not found* >>>> *[Fri Nov 19 06:57:36 2021] [ip SSL Library Error: error:0D07207B:asn1 >>>> encoding routines:ASN1_get_object:header too long[Fri Nov 19 >>>> 06:57:36.717374 2021] [ssl:emerg] [pid 12557:tid 139779757414208] AH02312: >>>> Fatal error initialising mod_ssl, exiting. * >>>> >>>> I have also added the server name in the command >>>> >>>> On Friday, November 19, 2021 at 12:10:21 PM UTC+5:30 Graham Dumpleton >>>> wrote: >>>> >>>>> What are the error messages you are getting and where? >>>>> >>>>> Also be aware you must supply the --server-name option with the >>>>> hostname of the site which matches what you set in the certificate. >>>>> >>>>> On 19 Nov 2021, at 5:36 pm, Shetu <[email protected]> wrote: >>>>> >>>>> Hi Graham, >>>>> >>>>> I am using modwsgi express to run my Django application on mod_wsgi >>>>> Apache server. I am not able to start my server on https port although it >>>>> works on http port. >>>>> >>>>> This is the command I used to start the server(mentioned only https >>>>> and ssl parameters) >>>>> >>>>> *./manage.py runmodwsgi --https-only --https-port 8443 * >>>>> *--ssl-certificate-key-file >>>>> /apps/django_app/keystore/server_name.keystore * >>>>> *--ssl-certificate-file /apps/django_app/keystore/server_name.crt* >>>>> >>>>> Please let me know where I may be going wrong. >>>>> >>>>> Regards, >>>>> Shetu >>>>> >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "modwsgi" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/modwsgi/e7ccbe41-a58f-44db-852a-fd1e618a99bfn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "modwsgi" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/modwsgi/f087841a-360e-489b-b3bd-6ff915a666dfn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/modwsgi/4a18ebc9-4dd1-4c91-b0cd-08d7909197bcn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/modwsgi/aa80e74d-4e9d-4fb7-ba6a-9804d9466215n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/8c058ccc-5568-42c8-87e6-c5fe8fa09ee0n%40googlegroups.com.
