use_https not being honored?
Using Mailman core 3.3.5, and Mailman API 3.1, I have use_https: yes set in my mailman.cfg so that I can use https for calls to the API, however even in mailman.log, it still says it is using http:
[2022-06-01 09:35:54 -0500] [959009] [INFO] Starting gunicorn 20.1.0 [2022-06-01 09:35:54 -0500] [959009] [INFO] Listening at: http://hostname:8001 (959009)
GET and POST requests work fine if I use http, but fail when trying to use https. I have a certificate being used by our Mailman installation, so is there some additional config not mentioned in the docs to enable use of the API over https? I've only recently started using Mailman so if there are additional logs or system information I need to help with this?
sean.p.kiernan--- via Mailman-users writes:
Using Mailman core 3.3.5, and Mailman API 3.1, I have use_https: yes set in my mailman.cfg so that I can use https for calls to the API,
Despite the name, that's not what use_https does. It means to use "https" when formatting its URL, and AFAICS that's all it does. In particular it does not configure gunicorn (which provides the REST server) to use HTTPS as far as I can tell.
however even in mailman.log, it still says it is using http:
[2022-06-01 09:35:54 -0500] [959009] [INFO] Starting gunicorn 20.1.0 [2022-06-01 09:35:54 -0500] [959009] [INFO] Listening at: http://hostname:8001 (959009)
GET and POST requests work fine if I use http, but fail when trying to use https.
You need to set some or all of the settings here where gunicorn can find them.
https://docs.gunicorn.org/en/stable/settings.html#ssl
I believe this can be done either in the gunicorn.cfg file or in the [webservice] section of mailman.cfg. This is separate configuration information from any configuration of server credentials you provide for Postorius or HyperKitty.
I've only recently started using Mailman so if there are additional logs or system information I need to help with this?
I'm pretty sure what I wrote above diagnoses the issue correctly, but for the future "didn't work" doesn't tell us enough. You should always provide the exact error message, exactly as presented. If you get a traceback of function calls, you should provide that whole thing as well. You may redact "sensitive" information (which includes personal names, usernames, passwords, and the like, but for some folks also things like IP addresses and domain names). However, try to ensure that there's a one-to-one relation between redacted items and the substitutes.
Steve
participants (2)
-
sean.p.kiernan@nasa.gov
-
Stephen J. Turnbull