Hi :) I am having troubles with web2py behind Apache with multiple SSL virtualhosts, each serving different web2py application and encrypted with a different letsencrypt SSL key. All are served from the same IP address. I have only one web2py instance in my setup. If I set-up up to 3 VirtualHosts (serving 3 applications), it works. But as soon as I add more applications in my setup, all HTTPS end up in SSL_ERROR_RX_RECORD_TOO_LONG.
Versions: Web2py 2.16.1, Apache 2.4.10, libapache2-mod-wsgi 4.3.0-1 (Debian Jessie) My config follows; to make it concise I removed the portions dealing with static files, logging etc. which are not related to the problem: <Macro Web2PySSL $domain> <VirtualHost *:80> ServerName $domain WSGIDaemonProcess $domain user=www-data group=www-data display-name=%{GROUP} WSGIScriptAlias / /opt/web2py/wsgihandler.py WSGIProcessGroup $domain <Location /admin> Require all denied </Location> <LocationMatch ^/([^/]+)/appadmin> Require all denied </LocationMatch> <Directory /opt/web2py> AllowOverride None Require all denied <Files wsgihandler.py> Require all granted </Files> </Directory> </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem ServerName $domain WSGIScriptAlias / /opt/web2py/wsgihandler.py WSGIProcessGroup $domain WSGIPassAuthorization On <Directory /opt/web2py> AllowOverride None Require all denied <Files wsgihandler.py> Require all granted </Files> </Directory> </VirtualHost> </Macro> And one-liners in sites-enabled: Use Web2PySSL www.domain1.com Use Web2PySSL www.domain2.com Use Web2PySSL www.domain3.com ... SSL certificates are symlinked to /etc/apache2/ssl/letsencrypt. routes.py: routers = dict( BASE=dict( domains = { 'www.domain1.com' : 'domain1', 'www.domain3.com' : 'domain2', 'www.domain3.com' : 'domain3', #... } ), ) I made several experiments to help to identify the cause. 1) Instead of domain-specific letsencrypt certificates I tried one self-signed certificate for all domains. It increased the number of applications which work in my scenario from 3 to 5, but as soon as I add one more, it starts failing again. I think the main difference of the self-signed certificate in the context of the error is that it does not have any chain. 2) In order to find out if it is not a problem of Apache, I tried to set-up plain Apache virtualhosts with SSL support. It works. There are no problems with SSL at all, regardless to the number of virtualhosts. <Macro testSSL $domain> <VirtualHost *:80> ServerName $domain DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:443> ServerName $domain SSLEngine on SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> </Macro> And: Use testSSL www.domain1.com Use testSSL www.domain2.com Use testSSL www.domain3.com ... 3) In order to find out if it is not a problem of mod-wsgi, I tried the following. Again, no problems. Both HTTP and HTTPS is working well. Simple WSGI handler in /var/www/wsgi/test.wsgi: def application(environ, start_response): status = '200 OK' output = 'Just testing...' response_headers = [('Content-type', 'text/plain'),('Content-Length', str(len(output)))] start_response(status, response_headers) return [output] And related config: <Macro testSSLWSGI $domain> <VirtualHost *:80> ServerName $domain WSGIDaemonProcess $domain user=www-data group=www-data display-name=%{GROUP} WSGIScriptAlias / /var/www/wsgi/test.wsgi WSGIProcessGroup $domain DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:443> ServerName $domain SSLEngine on SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem WSGIScriptAlias / /var/www/wsgi/test.wsgi WSGIProcessGroup $domain DocumentRoot /var/www <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> </Macro> And: Use testSSLWSGI www.domain1.com Use testSSLWSGI www.domain2.com Use testSSLWSGI www.domain3.com ... So, my conclusion is that the problem indeed has something to do with web2py. But I am not sure what to try as a next step. :( Thank you very much for any idea! with regards David -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.