So according to: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile <http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile>
seems like I should provide a —ssl-certficate-chain-file option. Because where it is placed is position sensitive, I don’t think it can simply be added to the end of the generated httpd.conf by using the —include-file option. So will need to have in template: SSLEngine On SSLCertificateFile %(ssl_certificate_file)s SSLCertificateKeyFile %(ssl_certificate_key_file)s <IfDefine MOD_WSGI_VERIFY_CLIENT> SSLCACertificateFile %(ssl_ca_certificate_file)s SSLVerifyClient none </IfDefine> <IfDefine MOD_WSGI_CERTIFICATE_CHAIN> SSLCertificateChainFile %(ssl_certificate_chain_file)s </IfDefine> and modify script to accepte —ssl-certficate-chain-file and enable inclusion of SSLCertificateChainFile. I will make a change tomorrow and push it up to GitHub repo so you can verify it. Graham > On 22 Feb 2016, at 9:13 PM, Graham Dumpleton <[email protected]> > wrote: > > Is it replacing the SSLCertificateFile line or adding to it? > >> On 22 Feb 2016, at 9:11 PM, Tanuka Dutta <[email protected] >> <mailto:[email protected]>> wrote: >> >> A follow-on question: >> >> I was encountering issues with Chrome browser on Android 5.1.1 trying to >> connect to my website. The browser was flagging it as not secure. It turned >> out that my certificate chain was not properly installed on Apache. (My >> certificate was obtained from https://www.startssl.com/ >> <https://www.startssl.com/>) >> >> If I explicitly add this line in the httpd.conf where ever >> SSLCertificateFile is configured: >> >> SSLCertificateChainFile >> /home/syt_admin/projects/vishwaas/www-https/startssl-certs/1_root_bundle.crt >> >> (I am using Apache version 2.2.15) >> >> then Android does not flag any issue and the browser shows the secure >> padlock icon. >> >> But how do I provide this option via mod_wsgi-express setup-server ? I >> didn't see anything under mod_wsgi-express --help. >> >> Regards, >> Tanuka >> >> >> On Mon, Feb 22, 2016 at 9:37 AM, Tanuka Dutta <[email protected] >> <mailto:[email protected]>> wrote: >> Thanks, Graham! >> >> Adding the --url-alias option worked perfectly. >> >> Also, I went over my old notes and realized that I had in fact executed >> "python manage.py runmodwsgi --setup-only" after having played around with >> the "mod_wsgi-express setup-server" command. So that explains the mystery of >> why it had worked in the past. >> >> Is there a recommendation of which command to use? >> >> Thanks for this great piece of infrastructure!! >> >> Regards, >> Tanuka >> >> >> >> On Saturday, 20 February 2016 06:11:21 UTC+5:30, Graham Dumpleton wrote: >> >>> On 19 Feb 2016, at 9:31 PM, Tanuka Dutta <[email protected] <>> wrote: >>> >>> Hello, >>> >>> I have a CentOS 6.7 installation on a VM, and am running Django 1.8.8 over >>> Apache 2.2.15 using mod_wsgi version 4.4.21 (that I had compiled from >>> source using Python 2.7.8 in a virtualenv). >>> >>> I've used mod_wsgi-express to generate the Apache scripts (it's extremely >>> helpful!) and it works fine for http. I am able to connect to the website >>> over http and view all the images on the site. >>> >>> The commands used were: >>> >>> (vishwaas_env)[syt_admin@VM1 www]$ mod_wsgi-express setup-server >>> /home/syt_admin/projects/vishwaas/vishwaas_django/vishwaas_django/wsgi.py >>> --host=0.0.0.0 --port=80 --user apache --group apache >>> --server-root=/home/syt_admin/projects/vishwaas/www >>> >>> (vishwaas_env)[syt_admin@VM1 www]$ sudo ./apachectl start >>> >>> However, when I try to do the same for https (I followed instructions at >>> https://gist.github.com/GrahamDumpleton/b79d336569054882679e >>> <https://gist.github.com/GrahamDumpleton/b79d336569054882679e>, but left >>> out the client authentication bit). >>> >>> (vishwaas_env)[syt_admin@VM1 www-https]$ mod_wsgi-express setup-server >>> ../vishwaas_django/vishwaas_django/wsgi.py --user apache --group apache >>> --server-root=/home/syt_admin/projects/vishwaas/www-https --https-port 443 >>> --port 80 --https-only --server-name www.xyz.in <http://www.xyz.in/> >>> --ssl-certificate-file ssl-certs/server.crt --ssl-certificate-key-file >>> ssl-certs/server.key >>> >>> the http.conf file that is generated does not have the Alias 'static' >>> directive. As I result, I can connect to the website but not view any >>> images. >>> >>> If I insert the missing lines (copied over from the http.conf generated >>> earlier): >>> >>> Alias '/static' >>> '/home/syt_admin/projects/vishwaas/vishwaas_django/collected_static' >>> >>> <Directory >>> '/home/syt_admin/projects/vishwaas/vishwaas_django/collected_static'> >>> Order allow,deny >>> Allow from all >>> </Directory> >>> >>> then I can see the static files on the website. >>> >>> Is this a bug in mod_wsgi-express or am I doing something wrong? >> >> You would only get a Alias directive for /static if you had used the option: >> >> —url-alias /static >> /home/syt_admin/projects/vishwaas/vishwaas_django/collected_static >> >> I can’t see that you have used that in what you ran. >> >> The /static Alias would only be generated automatically if you were using >> the Django management command integration so you could run ‘python manage.py >> runmodwsgi', which you aren’t. >> >> Graham >> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "modwsgi" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/modwsgi/1Aad8DeGUjo/unsubscribe >> <https://groups.google.com/d/topic/modwsgi/1Aad8DeGUjo/unsubscribe>. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> Visit this group at https://groups.google.com/group/modwsgi >> <https://groups.google.com/group/modwsgi>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> Visit this group at https://groups.google.com/group/modwsgi >> <https://groups.google.com/group/modwsgi>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
