After 1/installing Tryton , 2/fixing a domain via nginx, 3/do a certificate for this domain using certbot, everything was ok but when i have paste the path of the private key and certificate , there was an error said:
Traceback (most recent call last):
File "/home/user/.virtualenvs/project/bin/trytond", line 83, in <module>
**ssl_args)
File "/home/user/.virtualenvs/project/lib/python3.7/site-packages/werkzeug/serving.py", line 1052, in run_simple
inner()
File "/home/user/.virtualenvs/project/lib/python3.7/site-packages/werkzeug/serving.py", line 1005, in inner
fd=fd,
File "/home/user/.virtualenvs/project/lib/python3.7/site-packages/werkzeug/serving.py", line 848, in make_server
host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
File "/home/user/.virtualenvs/project/lib/python3.7/site-packages/werkzeug/serving.py", line 766, in __init__
self.socket = ssl_context.wrap_socket(sock, server_side=True)
File "/home/user/.virtualenvs/project/lib/python3.7/site-packages/werkzeug/serving.py", line 661, in wrap_socket
**kwargs
File "/user/lib/python3.7/ssl.py", line 1216, in wrap_socket
context.load_cert_chain(certfile, keyfile)
PermissionError: [Errno 13] Permission denied
Am stack on .thanks in advance.
How i can resolve that.
Have you checked to ensure that the user running trytond is able to read the private key and certificate?
Are you using nginx on the same machine, and as a reverse proxy infront of trytond? If so you may be able to let nginx handle the ssl termination, and then you wouldn’t need to configure ssl in trytond. If you do do this, then just make sure trytond is only listening on localhost, so you always have to connect via nginx.
if you mean that i have checked or not the config file(under available-sites) contain the path of the ssl or not :
—>yes I have checked it after generating the certeficate via certbot(using the command sudo snap run certbot)
I have found this lines of code on the config file of my domain
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tryton.codingx.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tryton.codingx.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ($host = www.tryton.codingx.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = tryton.codingx.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name tryton.codingx.de www.tryton.codingx.de;
listen 80;
return 404; # managed by Certbot
}
Here i did’nt get you clearly also , let me tell you the steps that i Have did it ,
after installing nginx
I have typed those commandes: 1/copy my virtual environement under the directory (/var/www) via the 2 commands
2/ copier le virtual
cd /var/www/mysubdomain
cp -R /home/user/.virtualenvs /var/www/mysubdomain
2/ activate the virtual environement via the command** source ./activate 3/ make a symlink:
4/ restart nginx 5/ install certbot via sudo snap install --classic certbot 6/ generate the certeficat for the subdomain sung the command:
sudo snap run certbot
----> here a code of lines go to the config file of the subdomain(exist under sites_available):
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tryton.codingx.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tryton.codingx.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
if ($host = www.tryton.codingx.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = tryton.codingx.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name tryton.codingx.de www.tryton.codingx.de;
listen 80;
return 404; # managed by Certbot
}
------
7/ Last step was make the path of the private key and the caretficate path on trytond.conf
can you explain more please How i can do that? otherwise you can see the steps that i have mentioned now and u can advise me based on that .thanks again.
First a small comment: The internal werkzeug server of Tryton is only for development purposes. So when you go to production it is recommended to use a wsgi server like uwsgi to run Tryton.
What @dave meant is that when you have NginX and Tryton on the same server (hardware) you don’t necessarily need a SSL connection between NginX and Tryton. You configure Tryton in such a way that it only can be reached through NginX (just listen on localhost). So users have to connect to NginX first and NginX will transfer the request to Tryton. This is the same behavior as with PHP for example.
So the first thing I would to do is make NginX work with SSL in a ‘static’ way. For example place an index.html somewhere in your webroot and see if you can reach it with https. If that’s working you can setup a connection with Tryton using the uwsgi_pass to send requests from NginX to Tryton.
Coming back to your first question. It seems that the Tryton user doesn’t have the right permissions to access the files. You can check that by login as the Tryton user and try to reach the files. If the Tryton user is a system account without password, use the sudo su - <username> command.
Hi,
if I type sudo su - tryton
the response was: su: user tryton does not exist
so here should i create a tryton user and try to reach the path of the files ssl throw it.!?
Edited: when i have typed from my own virtual environement(where the tryton exist) a command to reach the path of the ssl certeficate :
by the command : cd /etc/letsencrypt/live/tryton.codingx.de/privkey.pem
the response was -bash: cd: /etc/letsencrypt/live/tryton.codingx.de/privkey.pem: Permission denied