Python for the .NET developer Transcripts
Chapter: Deploying Python web apps
Lecture: Adding SSL with Let's Encrypt
0:00 This is really nice, but I would like it
0:02 to work on a different domain.
0:04 Now let's see, maybe, I did try to
0:07 when we first set this up, register guitary over...
0:10 And it's still not working.
0:13 Going to take a little bit longer for that to resolve.
0:16 When it does, we're going to be able to set up, over here.
0:20 We're going to be able to use Let's Encrypt
0:22 to install this now.
0:24 We do a few steps now
0:26 and then we have to just pause in the background and wait.
0:29 So let's go over here. We can add another app repository.
0:33 So when we want to install something
0:34 it'll come from here. Do you want to do this?
0:37 Yes, let's do this. I think it already did it
0:43 but we can just do an app update
0:45 just to be safe, just to be sure.
0:48 What's here? What can we do? Upgrade.
0:52 Ah, some other stuff that got installed
0:54 along the way didn't get updated.
0:56 Let's go ahead and do that.
0:57 Now we can install Python Certbot.
0:59 So this is the certificate bot for Let's Encrypt
1:04 which will give us free semi-auto renewing
1:07 auto renewing via a single-line command
1:09 certificate for SSL
1:11 and it's going to set it up so it manages
1:13 Nginx and not Apache or whatever.
1:16 So there's a whole bunch of stuff
1:17 that's going to get installed.
1:18 We'll let it do it.
1:23 All right, that looked like it worked.
1:26 Now I might've cached this on my machine.
1:27 Let's see what the server thinks.
1:29 Nope, server also doesn't know.
1:31 So I need to wait just a little bit longer
1:33 for this to resolve, and then
1:35 we'll be able to set up our certificate.
1:37 The reason is
1:39 we're going to just run this one command
1:40 and it's going to add SSL to our server
1:43 and we won't have to do anything.
1:44 It's beautiful. But in order for it to work
1:47 it verifies the server making the request
1:49 actually is the server that is the domain, all right?
1:52 The domain has an IP address mapping back
1:54 to the server that's trying to set up the certificate.
1:57 If it's not the case, it's going to fail
1:59 and say either, I don't know where this domain is,
2:01 or, You know what? You don't own Google.com
2:03 so you don't get to to set it up.
2:05 All right? Play with, like, a safeguard
2:07 and make sure they at least may have some sort of
2:10 or some reason to own that certificate, alright
2:12 in lieu of buying it and verifying it and so on.
2:15 Now I'm going to pause the video
2:16 and come back when that resolves.
2:19 Alright, I think this is going to work.
2:22 It depends on whether the domain name definitions
2:25 have made it far enough over to the Certbot world.
2:27 But let's go ahead and give it a try
2:29 and see what we got.
2:30 All we have to do is say we're going to run Certbot
2:33 against our Nginx configuration.
2:36 The Nginx config that supports
2:39 that URL or that domain name right there.
2:43 That's what we set up here. Like that.
2:47 And if the DNS settings have made it far enough
2:50 they should work. Let's give it a try.
2:53 First of all, it says
2:55 You have to enter your email address.
2:57 And I'm going to put email@example.com.
3:02 Do we agree to the terms of service?
3:04 Yes, yes, we do.
3:07 Will I be willing to share that?
3:08 No, I have already shared
3:09 my real email address with EFF.
3:11 I don't need more copies of their newsletter.
3:13 Thank you. Look at that.
3:18 It went and it verified guitary.talkpython.com.
3:22 It set up the certificate
3:23 and it has one final question for us
3:25 and this one's kind of important.
3:27 If someone goes to HTTPS://guitary.talkpython.com
3:34 it's already going to serve them SSL traffic
3:36 HTTPS traffic.
3:38 However, if they just type in the domain
3:40 guitary.talkpython.com without the HTTPS
3:43 it's going to try HTTP.
3:45 This question says, Would you like
3:47 to automatically upgrade that request
3:49 over to HTTPS?
3:51 I think the answer is almost always yes too?
3:55 But maybe you don't think about your situation.
3:57 I've never not wanted that to happen.
3:58 That seems really weird.
4:00 Obviously if they just type the domain name
4:02 you want it to go to SSL.
4:04 And it says, Boom! Congratulations!
4:06 You're certified. This is going to expire in 90 days
4:10 so you have to basically run something
4:12 which is certbot renew
4:16 and it'll actually go and look
4:18 and see if anything's due.
4:20 It said, No, no, no, this one.
4:21 This one here is not.
4:25 So everything's good.
4:26 But you need to make sure you run that once
4:28 near the end of 90 days.
4:30 You know, the last 30 days or so.
4:32 All right, let's see how this works.
4:34 Let's see if we can get there.
4:37 We can say HTTP against that
4:41 and let's see what happens.
4:43 Sad, the local machine has cached
4:45 or has not yet received the definition.
4:48 We have to wait a little bit longer to test this.
4:50 I'll pause once again for the DNS settings
4:53 to make it over to digitalization
4:55 over to the server.
4:56 But when they do, we'll be all up and running.
4:59 All right, well, actually, it just took
5:00 a couple more minutes for that to resolve.
5:02 And we're all good. So now let's try this...
5:07 A request to just HTTP guitary.
5:09 Let's see what we get.
5:11 We get a 301 moved permanently.
5:14 Where did it move to? Location, HTTPS.
5:19 Alright, so we try again.
5:20 HTTPS, port 443 hitting Nginx.
5:24 What's going to happen? Magic.
5:27 Magic happens. All right, let's go over here.
5:29 Here we have our IP address.
5:31 I don't know if this will auto-redirect
5:32 or if it will 404. Let's see.
5:34 Yeah, doesn't find, didn't love it.
5:36 But if we just go to guitary.talkpython.com
5:39 it's going to hit that 301 redirect
5:41 and then it'll got to HTTPS.
5:43 Bam, just like that, we're online!
5:46 Official, we are official.
5:47 We have our certificate
5:49 and we have our certificate verified
5:50 or provided by Let's Encrypt.
5:52 And now we can just click around a little bit more.
5:55 Before we do though, let's have a tiny bit of fun.
5:57 Turn on our tail. There we go.
6:00 And maybe make a little room like this
6:04 a little responsive stuff.
6:05 Let's go over here, check out the guitars.
6:07 You can see it flipping through
6:08 our electric guitars, our acoustic guitars
6:10 all of the guitars.
6:12 You can see we're doing all those requests.
6:15 First time we hit this, it was a little bit slow.
6:17 But if we just click this a bunch of times...
6:21 Notice one and zero milliseconds.
6:23 Can't ask for much more than that.
6:25 This is really, really cool.
6:26 So here we have officially deployed our website
6:30 to a real domain using HTTPS
6:32 running over on the server.
6:34 And last thing, just to make sure
6:36 you want quick other tests.
6:38 Just restart this thing to absolutely verify.
6:40 Yes, everything autostarts, right?
6:44 It wasn't just a fluke that we started that service
6:46 and oh, we forgot to enable it
6:47 or Nginx doesn't autostart or something like that.
6:51 Try again. Takes a second. Here we go. Back.
6:57 All right, try one more time.
6:58 Does it still work? You bet it still works.
7:01 Because it's awesome! Okay, so cool!
7:03 So here we have our app up and running
7:05 and yeah, everything is working really well.
7:09 Guess what we could check really quick if we want?
7:15 Response times over here.
7:17 We're getting 36 milliseconds, 39 38, 29.
7:21 Yeah, that's pretty good with the ping time
7:23 over to there. Let's see. Yeah, happy enough.
7:27 Well, that's it. We saw that we could use this
7:30 simple 85-line setup script
7:32 and these two config files
7:35 obviously adapted for what you're trying to deploy
7:38 to set up our server, to run our code
7:40 our Python code, with Nginx talking to uWSGI
7:45 running our code exactly like we want it over there.
7:47 Now we can do whatever we want.
7:48 We have this whole server, anything we need
7:51 or we want to configure it to do.
7:53 Well, a few more lines in this file right here, isn't it?