Let’s Encrypt with Gunicorn

  1. Install certbot1
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

There’s a notification while adding repository which shows the repository is for Debian, and needs your confirmation before adding it. We can follow the link in the notification to check it supports certain version of Ubuntu or not.

  1. generate keys by using dns challenging in manual mode. Gunicorn doesn’t support accessing a local file from web by redirecting a certain URL, so http, in default, challenge doesn’t work. We don’t need to set the webroot since the key files are not automatically stored in it for the challenge later. Using the following command to generate keys.2
sudo certbot certonly --manual  -d <domain name> --preferred-challenges dns
  1. set up TXT recording for challenge. During last step, certbot requires a DNS TXT record to be set before moving on. Set the TXT record accordingly and check its availability manually3.
dig -t txt <challenge domain>
  1. copy generated pem files under `/etc/letsencrypt/live/ to start gunicorn with following parameters4
--keyfile "privkey.pem" --certfile "cert.pem" --ca_certs "chain.pem"

  1. [[Running Your Flask Application Over HTTPS - miguelgrinberg.com]] ↩︎

  2. [[User Guide — Certbot 0.40.0.dev0 documentation]] ↩︎

  3. [[Linux command to inspect TXT records of a domain - Server Fault]] ↩︎

  4. [[ssl - Setup Gunicorn with let’s encrypt cert - Stack Overflow]] ↩︎