7

I'm running a Django website and using lets encrypt for my SSL. Configuration of the framework is such that I can't allow access on: http://url.com/.xxxx

What I can allow free access to is: http://url.com/static/.xxxx

My /static/ URL can accept and host any random files lets encrypt needs. Is there a way to have certbot support /static/ instead of just using / for the URL?

Thanks

EDIT

I've found a work around that is acceptable for me. Further digging, I found that /.well-known/ is always the base directory for SSL checking. That means we can add a static directory which will work nicely with certbot. Here's how, firstly add this into your apache config:

Alias /.well-known/ /var/www/XXXXX/website/static/.well-known/
<Directory /var/www/XXXXX/website/static/.well-known/>
Require all granted
</Directory>

Then add this into your settings.py file:

STATIC_ENCRYPT_URL = '/.well-known/'
STATIC_ENCRYPT_ROOT = '/var/www/XXXXX/website/static/'

Add this into your urls.py:

urlpatterns = [
  ... 
] + static(settings.STATIC_ENCRYPT_URL, document_root=settings.STATIC_ENCRYPT_ROOT)

Reset your webserver. Now you have a special url /.well-known/ which will host any file certbot requires.

I'd still like a better answer than this.

Community
  • 1
  • 1
Luke Dupin
  • 2,275
  • 23
  • 30
  • 1
    Disable django temporarily, and run a simple file TCP server. – hjpotter92 Jul 18 '16 at 18:47
  • 2
    That will work fine on dev, but I can't take the production server offline like that. – Luke Dupin Jul 18 '16 at 18:48
  • It takes less than 2 minutes for the entire LetsEncrypt process. You could also try using CloudFlare's free plan for ssl. – hjpotter92 Jul 18 '16 at 18:54
  • 1
    Please only submit valid suggestions that are on topic. There will be others with this same problem, and they also need information on how to solve the problem. – Luke Dupin Jul 18 '16 at 19:09
  • Let's Encrypt uses (their version of) the (still being standardised) ACME protocol so the challenges will always appear in /.well-known/acme-challenge/ The /.well-known/ prefix is reserved by the IETF for uses like this, if favicon.ico or robots.txt were invented today, they'd be in /.well-known/ – tialaramex Jan 02 '17 at 00:07
  • the `urlpatterns` addition is to your project urls.py file and not an app urls.py file, yes? – brt Jan 19 '17 at 16:51
  • @brf that is correct – Luke Dupin Jan 20 '17 at 21:06

1 Answers1

5

In case other users come this way like I did from Google, here's how I improved this situation:

I was unsatisfied by my options when it came to creating ACME challenges for Let's Encrypt when running a Django application. So, I rolled my own solution and created a Django app! Basically, you can manage your ACME challenges as just another object, and the app will produce the proper end-point URL.

Simply pip install django-letsencrypt and follow the README to be on your way.

Urda
  • 5,460
  • 5
  • 34
  • 47