Python for the .NET Developer Transcripts
Chapter: Deploying Python web apps
Lecture: Adding SSL with Let's Encrypt

Login or purchase this course to watch this video and the rest of the course contents.
0:00 This is really nice, but I would like it to work on a different domain. Now let's see, maybe, I did try to
0:08 when we first set this up, register guitary over... And it's still not working. Going to take a little bit longer for that to resolve.
0:17 When it does, we're going to be able to set up, over here. We're going to be able to use Let's Encrypt to install this now. We do a few steps now
0:27 and then we have to just pause in the background and wait. So let's go over here. We can add another app repository.
0:34 So when we want to install something it'll come from here. Do you want to do this? Yes, let's do this. I think it already did it
0:44 but we can just do an app update just to be safe, just to be sure. What's here? What can we do? Upgrade. Ah, some other stuff that got installed
0:55 along the way didn't get updated. Let's go ahead and do that. Now we can install Python Certbot. So this is the certificate bot for Let's Encrypt
1:05 which will give us free semi-auto renewing auto renewing via a single-line command certificate for SSL and it's going to set it up so it manages
1:14 Nginx and not Apache or whatever. So there's a whole bunch of stuff that's going to get installed. We'll let it do it.
1:24 All right, that looked like it worked. Now I might've cached this on my machine. Let's see what the server thinks. Nope, server also doesn't know.
1:32 So I need to wait just a little bit longer for this to resolve, and then we'll be able to set up our certificate. The reason is
1:40 we're going to just run this one command and it's going to add SSL to our server and we won't have to do anything.
1:45 It's beautiful. But in order for it to work it verifies the server making the request actually is the server that is the domain, all right?
1:53 The domain has an IP address mapping back to the server that's trying to set up the certificate. If it's not the case, it's going to fail
2:00 and say either, I don't know where this domain is, or, You know what? You don't own Google.com so you don't get to to set it up.
2:06 All right? Play with, like, a safeguard and make sure they at least may have some sort of or some reason to own that certificate, alright
2:13 in lieu of buying it and verifying it and so on. Now I'm going to pause the video and come back when that resolves.
2:20 Alright, I think this is going to work. It depends on whether the domain name definitions have made it far enough over to the Certbot world.
2:28 But let's go ahead and give it a try and see what we got. All we have to do is say we're going to run Certbot against our Nginx configuration.
2:37 The Nginx config that supports that URL or that domain name right there. That's what we set up here. Like that.
2:48 And if the DNS settings have made it far enough they should work. Let's give it a try. First of all, it says You have to enter your email address.
2:58 And I'm going to put demo@talkpython.fm. Do we agree to the terms of service? Yes, yes, we do. Will I be willing to share that?
3:09 No, I have already shared my real email address with EFF. I don't need more copies of their newsletter. Thank you. Look at that.
3:19 It went and it verified guitary.talkPython.com. It set up the certificate and it has one final question for us and this one's kind of important.
3:28 If someone goes to HTTPS://guitary.talkPython.com it's already going to serve them SSL traffic HTTPS traffic. However, if they just type in the domain
3:41 guitary.talkPython.com without the HTTPS it's going to try HTTP. This question says, Would you like to automatically upgrade that request
3:50 over to HTTPS? I think the answer is almost always yes too? But maybe you don't think about your situation. I've never not wanted that to happen.
3:59 That seems really weird. Obviously if they just type the domain name you want it to go to SSL. And it says, Boom! Congratulations!
4:07 You're certified. This is going to expire in 90 days so you have to basically run something which is certbot renew and it'll actually go and look
4:19 and see if anything's due. It said, No, no, no, this one. This one here is not. So everything's good. But you need to make sure you run that once
4:29 near the end of 90 days. You know, the last 30 days or so. All right, let's see how this works. Let's see if we can get there.
4:38 We can say HTTP against that and let's see what happens. Sad, the local machine has cached or has not yet received the definition.
4:49 We have to wait a little bit longer to test this. I'll pause once again for the DNS settings to make it over to digitalization over to the server.
4:57 But when they do, we'll be all up and running. All right, well, actually, it just took a couple more minutes for that to resolve.
5:03 And we're all good. So now let's try this... A request to just HTTP guitary. Let's see what we get. We get a 301 moved permanently.
5:15 Where did it move to? Location, HTTPS. Alright, so we try again. HTTPS, port 443 hitting Nginx. What's going to happen? Magic.
5:28 Magic happens. All right, let's go over here. Here we have our IP address. I don't know if this will auto-redirect or if it will 404. Let's see.
5:35 Yeah, doesn't find, didn't love it. But if we just go to guitary.talkPython.com it's going to hit that 301 redirect and then it'll got to HTTPS.
5:44 Bam, just like that, we're online! Official, we are official. We have our certificate and we have our certificate verified
5:51 or provided by Let's Encrypt. And now we can just click around a little bit more. Before we do though, let's have a tiny bit of fun.
5:58 Turn on our tail. There we go. And maybe make a little room like this a little responsive stuff. Let's go over here, check out the guitars.
6:08 You can see it flipping through our electric guitars, our acoustic guitars all of the guitars. You can see we're doing all those requests.
6:16 First time we hit this, it was a little bit slow. But if we just click this a bunch of times... Notice one and zero milliseconds.
6:24 Can't ask for much more than that. This is really, really cool. So here we have officially deployed our website to a real domain using HTTPS
6:33 running over on the server. And last thing, just to make sure you want quick other tests. Just restart this thing to absolutely verify.
6:41 Yes, everything autostarts, right? It wasn't just a fluke that we started that service and oh, we forgot to enable it
6:48 or Nginx doesn't autostart or something like that. Try again. Takes a second. Here we go. Back. All right, try one more time.
6:59 Does it still work? You bet it still works. Because it's awesome! Okay, so cool! So here we have our app up and running
7:06 and yeah, everything is working really well. Guess what we could check really quick if we want? Response times over here.
7:18 We're getting 36 milliseconds, 39 38, 29. Yeah, that's pretty good with the ping time over to there. Let's see. Yeah, happy enough.
7:28 Well, that's it. We saw that we could use this simple 85-line setup script and these two config files
7:36 obviously adapted for what you're trying to deploy to set up our server, to run our code our Python code, with Nginx talking to uWSGI
7:46 running our code exactly like we want it over there. Now we can do whatever we want. We have this whole server, anything we need
7:52 or we want to configure it to do. Well, a few more lines in this file right here, isn't it?


Talk Python's Mastodon Michael Kennedy's Mastodon