Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using lets encrypt without control over the root directory

I'm running a Django website and using lets encrypt for my SSL. Configuration of the framework is such that I can't allow access on: http://url.com/.xxxx

What I can allow free access to is: http://url.com/static/.xxxx

My /static/ URL can accept and host any random files lets encrypt needs. Is there a way to have certbot support /static/ instead of just using / for the URL?

Thanks

EDIT

I've found a work around that is acceptable for me. Further digging, I found that /.well-known/ is always the base directory for SSL checking. That means we can add a static directory which will work nicely with certbot. Here's how, firstly add this into your apache config:

Alias /.well-known/ /var/www/XXXXX/website/static/.well-known/
<Directory /var/www/XXXXX/website/static/.well-known/>
Require all granted
</Directory>

Then add this into your settings.py file:

STATIC_ENCRYPT_URL = '/.well-known/'
STATIC_ENCRYPT_ROOT = '/var/www/XXXXX/website/static/'

Add this into your urls.py:

urlpatterns = [
  ... 
] + static(settings.STATIC_ENCRYPT_URL, document_root=settings.STATIC_ENCRYPT_ROOT)

Reset your webserver. Now you have a special url /.well-known/ which will host any file certbot requires.

I'd still like a better answer than this.

like image 938
Luke Dupin Avatar asked Jul 18 '16 18:07

Luke Dupin


1 Answers

In case other users come this way like I did from Google, here's how I improved this situation:

I was unsatisfied by my options when it came to creating ACME challenges for Let's Encrypt when running a Django application. So, I rolled my own solution and created a Django app! Basically, you can manage your ACME challenges as just another object, and the app will produce the proper end-point URL.

Simply pip install django-letsencrypt and follow the README to be on your way.

like image 184
Urda Avatar answered Sep 23 '22 12:09

Urda