New feature: self-installation of SSL certificates!


This blog post is out-of-date – we can now manage all of your Let’s Encrypt certificates automatically, and have a UI to upload custom certificates. See this help page for details.

Our system update last week added on an API to let you install HTTP certificates yourself instead of having to email us. We’ve been beta-testing it over the last seven days, and it’s now ready to go live :-)

You can either use it by accessing the API directly from your code, or by using our helper scripts (which you can pip install).

This is the first step towards a much improved system for HTTPS – watch this space for more information.

What this is all about

We supply an HTTPS certificate for all websites that are subdomains of pythonanywhere.com – so your website at yourusername.pythonanywhere.com handles HTTPS by default. But if you create a website with a custom domain, you need to get a certificate. This is because only the owner of a domain can create a certificate for it, to stop people from (say) creating certs for www.google.com.

Luckily, it’s easy enough to create a certificate for your site, either by using the excellent Let’s Encrypt (for which we have detailed instructions here) or from one of the many commercial providers.

But once you’ve created your certificate, you need to get it installed. In the past, the way we asked you to do that was to store the certificate and the private key somewhere in your PythonAnywhere file storage, then email us. The system worked well, but it did have one problem – you needed to wait for us to install the certificate, which meant that in the worst case you could wait for up to 24 hours for it to be installed – maybe not a huge issue when you’re just getting started, but a big deal if you accidentally let the certificate expire and need a renewed one installed ASAP.

How to use it: the simple way

The easiest way to install your certificate is to use the PythonAnywhere helper scripts. The first step to do that is to make sure you have an API token set up for your account; go to the “Account” page and then click the “API token” tab. If you see this:

…then you’re all set. If, however, you see this:

…then you need to click the button to generate a key.

Once you’ve done that, start a new Bash console, and run this to install the PythonAnywhere helper scripts:

pip3.6 install --user --upgrade pythonanywhere

(If you’re on our “classic” image and don’t have Python 3.6 available, you can use pip3.5 instead.)

Now you can run the script to install the certificate. If you’ve used our instructions for Let’s Encrypt then the certificate and the key are in a well-known place, so you can just do this:

pa_install_webapp_letsencrypt_ssl.py www.yourdomain.com

If you’ve got a certificate from a different provider, you can specify the combined certificate and the key location by using a different command:

pa_install_webapp_ssl.py www.yourdomain.com /home/yourusername/something/combined-cert.pem /home/yourusername/something/private-key.pem

…adjusting the paths to point to the appropriate files.

If all goes well, you’ll see output like this:

< Setting up SSL for www.yourdomain.com via API >
   \
    ~<:>>>>>>>>>
< Reloading www.yourdomain.com via API >
   \
    ~<:>>>>>>>>>
  _________________________________________________________________
/                                                                   \
| That's all set up now :-) Your new certificate will expire         |
| on 12 November 2018, so shortly before then you should             |
| renew it (see https://help.pythonanywhere.com/pages/LetsEncrypt/)  |
| and install the new certificate.                                   |
\                                                                   /
  -----------------------------------------------------------------
   \
    ~<:>>>>>>>>>

If you’re not using Let’s Encrypt, it will look slightly different, of course. If you get an error and can’t work out what to do, please do email us at support@pythonanywhere.com.

There’s one important thing to notice there – the renewal date. You’ll still need to renew the certificate and install a new one when it expires.

How to use it: scripting your own stuff

If you’re an API kind of person, you can use the new ssl endpoint under the webapps URL to directly set your SSL certificate and private key with a POST request; you can also get SSL information (when the cert will expire, who issued it, and so on) by using the GET method. More information in the API documentation.

What’s next?

An API and some command line scripts for this stuff is all very well, but we’re far from done with improving the way SSL certs work on PythonAnywhere. Our long-term goal is to make this even easier – watch this space for more information.

Any questions?

Hopefully all of that is pretty clear! But if you have any questions, please do let us know.

comments powered by Disqus