[MM3-users] Cannot setup HTTPS support for mailman3-web

Ubuntu 20.04 mailman3 3.2.2-1 mailman3-web 0+20180916-10 python3-django 2:2.2.9-2ubuntu1

In /etc/mailman3/uwsgi.ini (example.org is defined in the local /etc/hosts as 10.0.0.1):

[uwsgi]
# Port on which uwsgi will be listening.
### suwsgi: uwsgi protocol over TLS
uwsgi-socket = example.org:8430
# https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.html?highlight=ssl
https = /etc/ssl/example.org.crt,/etc/ssl/example.org_rsakey.pem.decrypted,HIGH
...
# Drop privileges and don't run as root.
uid = www-data
gid = www-data
...

I suppose that uwsgi reads the certificate & its private key before dropping root privileges. Right now, uwsgi cannot access them as www-data.

In /etc/mailman3/mailman-web.py (symlinked to django settings.py) :

...
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
# Other security settings
# SECURE_SSL_REDIRECT = True
# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
# contains at least this line:
# SECURE_REDIRECT_EXEMPT = [
#     "archives/api/mailman/.*",  # Request from Mailman.
#     ]
# SESSION_COOKIE_SECURE = True
# SECURE_CONTENT_TYPE_NOSNIFF = True
# SECURE_BROWSER_XSS_FILTER = True
# CSRF_COOKIE_SECURE = True
# CSRF_COOKIE_HTTPONLY = True
# X_FRAME_OPTIONS = 'DENY'
...
POSTORIUS_TEMPLATE_BASE_URL = 'https://example.org:8430'

In /etc/nginx/sites-enabled/example.org.conf

...
        location / 
        {
                include /etc/nginx/uwsgi_params;
                # upstream app server
                uwsgi_pass suwsgi://example.org:8430;
        }

uwsgi is listening on the right address/port:

# networks-list-connections.sh | grep :8430
tcp        0      0 10.0.0.1:8430      0.0.0.0:*               LISTEN      33         54336045   1768187/uwsgi       

Despite those settings and all the relevant systemd services restarted, I get 502 Bad Gateway while browsing to https://example.org/postorius/lists/?all-lists (or any other page) with the following error nginx message:

*1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.0.0.1, server: example.org, request: "GET /postorius/lists/?all-lists HTTP/2.0", upstream: "suwsgi://10.0.0.1:8430", host: "example.org", referrer: "https://example.org/postorius/lists/"

Of course, without those specific https/suwsgi settings, everything works fine. What am I missing/doing incorrectly? Does uwsgi need access to the certificate/private key while running as non-root for instance?