2

I recently used LetsEncrypt's Certbot to enable SSL on my server. It's running Apache 2.4.18 with Django 1.11 on Ubuntu 16.04. As explained here, I duplicated my :80 VirtualHost definition for 443 in the same file. I am now getting 403 Forbidden whenever I try to access my site over HTTPS. Below is my current site conf file, lightly anonymized:

WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess MyApp python-home=/home/Administrator/Documents/MyRepo/MyRepo_env python-path=/home/administrator/Documents/MyRepo/MyApp
WSGIProcessGroup MyApp

<VirtualHost *:80>
        ServerName myapp.com

        ServerAdmin wouldntyou@liketoknow.com
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/administrator/Documents/MyRepo/MyApp/static
        <Directory /home/administrator/Documents/MyRepo/MyApp/static>
                Require all granted
        </Directory>

        <Directory /home/administrator/Documents/MyRepo/MyApp/MyApp>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>

        WSGIScriptAlias / /home/administrator/Documents/MyRepo/MyApp/MyApp/wsgi.py

RewriteEngine on
RewriteCond %{SERVER_NAME} =myapp.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
        ServerName myapp.com

        ServerAdmin wouldntyou@liketoknow.com
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/administrator/Documents/MyRepo/MyApp/static
        <Directory /home/administrator/Documents/MyRepo/MyApp/static>
                Require all granted
        </Directory>

        <Directory /home/administrator/Documents/MyRepo/MyApp/MyApp>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>

        <Directory /var/www/html>
                Require all granted
        </Directory>
        WSGIScriptAlias / /home/administrator/Documents/MyRepo/MyApp/MyApp.wsgi.py

SSLCertificateFile /etc/letsencrypt/live/myapp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myapp.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The only thing showing in the Apache log is client denied by server configuration: /home/administrator/Documents/MyRepo/MyApp/MyApp.wsgi.py

What permissions do I need to modify, or what settings do I need to change to get it working over SSL?

BThompson
  • 191
  • 1
  • 1
  • 7
  • I found [this](https://serverfault.com/questions/774819/virtual-host-forbidden-after-enabled-ssl) which looks like a similar issue, but was due to syntax errors I don't think I've made – BThompson Mar 11 '19 at 18:17
  • 403 errors in your browser usually come (like most web **server** warnings and errors) with a much more verbose description in your server (error) log file - so start there – HBruijn Mar 11 '19 at 18:18
  • Unfortunately the message in error.log isn't much more helpful (to me at least). Just says "client denied by server configuration: /home/administrator/Documents/MyRepo/MyApp/MyApp.wsgi.py" – BThompson Mar 11 '19 at 18:21
  • 1
    You do know that you added an extra `.com` to your `ServerName` directive. Is that a typo or is the same error actually in your config file? – doneal24 Mar 11 '19 at 18:46
  • Ah, oops. That is just a typo, not present in the config. I got a bit overzealous with find/replace apparently – BThompson Mar 11 '19 at 18:50

1 Answers1

1

Well, that was frustrating. The issue ended up being a simple typo in my second VirtualHost definition. Specifically, the WSGIScriptAlias should be WSGIScriptAlias / /home/administrator/Documents/MyRepo/MyApp/MyApp/wsgi.py not WSGIScriptAlias / /home/administrator/Documents/MyRepo/MyApp/MyApp.wsgi.py. The only difference is a period where there should have been a slash, between the final MyApp and wsgi.py. Hopefully someone else will read this and be spared the hours of nonsensical debugging.

BThompson
  • 191
  • 1
  • 1
  • 7