Https during development

blaketig · November 13, 2021, 11:30am

I’m looking to test integrating some services which require https. Are there any guides to help with using a self signed certificates on localhost for django and nginx?

I’m having trouble finding tutorials that work, even just for django. I’ve got a feeling there’s some implied steps that I haven’t worked out.

Some methods I’ve tried include:

pip install werkzeug
pip install pyOpenSSL

INSTALLED_APPS [
    'django-extensions',
]

python manage.py runserver_plus --cert-file cert.crt

Apparently when the browser shows the security warning you can accept the self signed certificate. However this isn’t working for me on Chromium and Firefox ESR. I don’t get https with the padlock.

I tried the code “thisisunsafe” on the Chromium browser tab which loads the page but still not with https.

Another method I tried with my productions settings in localhost:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl/mysite.key -out ssl/mysite.crt

Then updating the nginx.conf to listen on 443. I get the same browser warnings.

I’ve gone through some videos on youtube that require DNS port forwarding or that use a different setup with apache that I wasn’t able to fully translate to my setup.

I’m kind of confused with https during development. I’ve seen some comments where people say it’s not possible or that getting https working on the development site is more effort than it’s worth. But then there are other quick tutorials for self signed certificates which just aren’t working for me when I proceed with the insecure warning.

Lets Encrypt recommends using certbot with either automated or manual setup, both seem to require some validation that the site mysite.com belongs to me, which it doesn’t I’m just using it as my localhost.

Are there any guides people know of to get self signed certificates working on django to test services like Facebook authentication?.Thanks

KenWhitesell · November 13, 2021, 1:16pm

I’m not quite following what you’re trying to do / test here.

I can say that I have never deployed a Django app where Django is in any way a part of the SSL layer.

Our standard architecture is currently either:

[browser] <---> [nginx] <---> [uwsgi] <---> [Django app]
or (in a small number of cases)
[browser] <---> [haproxy] <---> [nginx] <---> [uwsgi] <---> [Django app]

In the first case, it’s nginx that serves as the SSL termination point; haproxy in the second. (I think at one point I did some experimentation of terminating SSL in uwsgi, but that was years ago and I don’t remember any of the specifics.)

In any case, the SSL layer is transparent / not-visible to Django.

(Side note: Yes, LetsEncrypt requires you have sufficient access to the domain for which you are requesting a certificate before it will issue you one that the browsers are going to recognize. However, as long as you have sufficient access to that host, you can create multiple certificates to be used on different hosts - as long as the private keys are present on both.)

It has been a while since I’ve needed to use a self-signed cert - I know that browsers are getting more strict about that, and it’s a particular problem on Android apps.

blaketig · November 13, 2021, 10:59pm

I’m trying to add a valid OAuth redirect URL to facebook, twitter and google developer sites.

For exampe:
https:mysite.com:8000/social-auth/complete/facebook/

I know there are some developer sites which don’t require https for the redirect URL. I was able to do test stripe payments with http://localhost:8000/success/ as the redirect URL. But what do I do for sites that do require a https redirect.

KenWhitesell · November 14, 2021, 1:13am

I was able to use Werkzeug (via runserver_plus) and an https connection using a Werkzeug-created cert and key files.
The command I used was:
./manage.py runserver_plus --key-file selftest-key --cert-file selftest-cert localhost:8443

This is without creating keys myself - allowing Werkzeug to create its own keys.

I can then connect to localhost using https, with the appropriate warning message.

petrprikryl · January 12, 2023, 2:17pm

https://cookiecutter-django.readthedocs.io/en/latest/developing-locally-docker.html#developing-locally-with-https

HenryMehta · March 17, 2024, 10:08am

I tried this and now I cannot get the site to run over http locally. I’m using docker compose. All other development sites remain fine but this one always redirects whether in privacy mode or not. Nothing within the application is forcing SSL and I removed all browser cache and still redirects.

Arrgggg!

KenWhitesell · March 17, 2024, 12:33pm

Welcome @HenryMehta !

This specific topic has been marked as solved, so new messages here are not likely to attract attention.

If you’re having an issue that you would like assistance with, please open a new topic for discussion. When you do, please include the scripts and configuration files (Dockerfile and or docker compose yaml file) that describe what you’re trying to do.

Topic		Replies	Views
SSL: CERTIFICATE_VERIFY_FAILED with external service Getting Started	6	3697	September 2, 2024
Django 4 / pytest-django live_server for tests is claiming https? Forms & APIs	1	809	May 17, 2022
Make http redirect to https Deployment	2	2596	March 18, 2022
Secure Websocket (with HTTPS) Deployment	8	10755	March 11, 2023
Improving Heroku's Suggestions for Django Deployment	1	659	December 13, 2023

Https during development

Related topics