Forums

SSL error on https

So when attempting to connect to my site over https, you get the SSL error:

This is probably not the site that you are looking for!
You attempted to reach www.finaldeadline.co.uk, but instead you actually reached a server identifying itself as *.pythonanywhere.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.finaldeadline.co.uk.
You should not proceed, especially if you have never seen this warning before for this site.

Never occurred to me to check for this. I'm not even sure how the user wound up using https rather than http, considering that she didn't know what a url was.

I've never had to get involved with the certification side of things, so I'm a little in the dark now. If I want a valid certificate linking '*.pythonanywhere.com' to my actual address, how do I go about it? (I may not know exactly what it is I'm asking. In short, "How do I make this not happen?")

Beloved premium user evilkillerfiggin | 72 posts | Oct. 16, 2013, 3:05 p.m. | permalink

The short answer is "get an SSL cert, give us the certificate chain and the private key and we'll make some magic happen". That may not be very helpful, so here's a slightly more detailed version (I'm looking to promote the instructions we develop here into a wiki page, so I hope you don't mind being a documentation guinea pig)

  1. Get an SSL cert: There are a number of providers of SSL certs. Some of them even provide server certs for free. We have a several users that are using certs from StartSSL. We use a Thawte cert on PythonAnywhere, but that costs.
  2. Create a certificate chain: Once you have your certificate, the provider should also give you access to a certificate chain. It may be as part of your certificate already, or you may have to add it yourself. You can tell if your cert has the chain, by looking at it in a text editor. If there is only one chunk that starts with "BEGIN CERTIFICATE" and ends with "END CERTIFICATE", then it's just your cert, without the chain. If it's just your cert, then you need to take the chain provided by your provider and add it at the end of your cert.
  3. Get your private key: Your SSL provider will also give you a private key. You will need to give it to use unencrypted, so make sure that the key starts with the line "-----BEGIN RSA PRIVATE KEY-----". if you see something like Proc-Type: 4,ENCRYPTED then it's encrypted and you need to decrypt it before we can use it: openssl rsa -in server.key.encrypted -out server.key
  4. Give it to us: The safest way to do this is to upload the cert and the private key to a directory in your PythonAnywhere account and then drop us an email at support@pythonanywhere.com letting us know where they are.
  5. We'll do the rest
Staff glenn | 10041 posts | PythonAnywhere staff | Oct. 16, 2013, 4:24 p.m. | permalink