Forums

I have set up a cname record for a web2py app running on pythonanywhere but whenever I try to access it with https I get a scary warning telling me that there is some kind of certificate mismatch. This will definitely scare away users and I would like to know how I go about fixing that error. If I need to buy a certificate I don't have a problem doing that but I'm not sure how that works with PA infrastructure.

Right, the problem is that we serve up our own certificate, so the browsers are complaining that your site is giving a cert for *.pythonanywhere.com while it's actually running at yourdomain.com. So yes, you'll need to buy a certificate, and then we'll need to install it on our side.

We're actually just finishing off the work that will make this an easy process with a pretty user interface, but we can manually add your certificate if you send it to us over email once you have it.

Excellent. You guys are always a step ahead of me. There is no rush so I'll just wait for the pretty UI.

OK! If we do get delayed and you need something put in quickly, just drop us a line.

+1 for Python Anywhere...☺

Out of interest, do the hosting accounts with an external domain get a unique IP address for them? This was always the primary issue with SSL hosting historically.

The SNI extension addresses this, and has existed for some time, but I believe there are still significant holes in client support (IE prior to 7, any IE on XP, iOS prior to 4.0, etc.). Also, it's worth being aware that it's only fairly recently that some distros have moved to a version of OpenSSL which supports it (0.9.8f with appropriate compilation options, 0.9.8j has it by default). Looks like the Apache you're using (2.2.16) should support it assuming the underlying OpenSSL does.

Having worked in this area on a proprietary webserver recently, if you can't assign a unique IP per account then you can use SNI with a fallback option of your own certificate, but of course this will generate security warnings in non-SNI clients.

@a2j -- +1 for you too :-)

@Cartroo -- Thanks! We share IPs between hosting accounts currently, though that might change. Especially if/when we switch to IPv6.

We're actually just in the process of switching to nginx (initially to make adding multiple-domain handling and static files easier, but TBH we're finding it so nice to configure that we wish we'd started off with it) and it looks like it handles SNI -- I guess it would be crazy if it didn't, but I'm glad we're not shooting ourselves in the foot...

Ah yes, IPv6 to the rescue - when the rest of the Internet gets around to supporting it... Actually, I've been heartened to see that most vendors are putting v6 support as a non-negotiable requirement on core appliances these days, which is definite progress on a few years ago.

Haven't played much with nginx myself but heard only good things from those who have. I too would have been surprised if it didn't have SNI support, but not too surprised - I'm always a little appalled by how slowly these important technologies propagate.

I guess either IPv6 to the home or near-total client support for SNI would resolve this issue, one way or another - hopefully at least one of those will happen within a few more years.

Yup. Of course, IPv6 won't fix the problem with XP -- as far as I can tell, it needs to be explicitly enabled, and I suspect that the bulk of the people who are still using XP are either in locked-down corporate environments where their sysadmins are unlikely to enable it, or are very non-techie and won't be able to enable it themselves.

So perhaps we need to hope that XP will just go away. It's a pity, I remember being quite fond of it, especially after I used Vista...

Better yet...let's just hope Redmond goes away!!

Yes, I went there once, it's a terribly boring town ;-) Actually, I don't mind Microsoft too much -- Windows 98, XP and 7 are all decent-enough operating systems (unlike ME, Vista and -- it appears -- 8) and if only people (for which, read large corporations) would upgrade reasonably frequently then the Internet would be a much better place. We've got a 50/50 Windows/Ubuntu split here in the office for workstations.

We'd never dream of using Windows on the servers, though, of course.

Yeah, I think Microsoft software gets a bit of a bad rap these days. I wouldn't want to defend their past business practices (though let us not forget that businesses are fundamentally amoral), but their software has mostly been at least mediocre and sometimes even almost quite good. Sure, Vista was a bit of a disaster, but I find Windows 7 actually quite tolerable (even if I mostly use it to run Putty). Office for Mac 2011 is also quite usable.

The main thing which annoys me about Microsoft is actually that they spend too much time worrying about keeping their customers happy by keeping old software running, and all those legacy hacks go too deep into the system. I think with Windows 7 they were a little less afraid to re-architect and it's a better system for it.

But I second the comment about Windows servers - headless Windows machines are just an absolute unmitigated nightmare... Very poor non-GUI remote access, little or no potential for lights-out management, very poor support for SNMP and similar... Just bad.

How does your pretty UI go on?