Privacy error using pythonanywhere ssl certificate

Question

I have a payment gateway in my web-app that requires an SSL certificate to work properly.

the web-app is a django web-app hosted at pythonanywhere. I used their Auto-renewing Let's Encrypt certificate to add an SSL certificate and make the website load as an HTTPS website.

The website now loads as an HTTPS website but when exiting the payment gateway I still get a Privacy error as follows

Your connection is not private
Attackers might be trying to steal your information from <my domain> (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

I am not sure what I am doing wrong

[EDIT-1]

I am using a custom domain that I bought from GoDaddy
I followed this link to setup the SSL certificate
I have also enabled forcing-https in pythonanywhere.
I changed the callback url in my views from http://<my_domain>.org/payment/status/ to https://<my_domain>.org/payment/status/
The callback url page does not contain any http links. Just a css file as follows <link rel="stylesheet" href="{% static 'css/paymentstatus.css' %}">

Please note that when I visit the website, it shows as https. It is only when calling the callback URL does it return the Privacy error.

I did not face this error when I tried it in my local system with ngrok. This error occurs only with pythonanywhere.

[EDIT-2]

nslookup mydomain.org

▶ nslookup mydomain.org
Server:     2405:201:e011:3804::c0a8:1d01
Address:    2405:201:e011:3804::c0a8:1d01#53

Non-authoritative answer:
Name:   mydomain.org
Address: IP_ADDRESS

dig mydomain.org

▶ dig mydomain.org
; <<>> DiG 9.10.6 <<>> mydomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8056
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.org.      IN  A

;; ANSWER SECTION:
mydomain.org.   225 IN  A   IP_ADDRESS

;; Query time: 2 msec
;; SERVER: 2405:201:e011:3804::c0a8:1d01#53(2405:201:e011:3804::c0a8:1d01)
;; WHEN: Fri Jan 15 14:18:23 IST 2021
;; MSG SIZE  rcvd: 51

[EDIT-3]

I changed the url from https://<my_domain>.org/ to https://www.<my_domain>.org/. This leads to a 404 error. I have added my views.py and url.py below

views.py

def donate(request):
    if request.method == "POST":
        form = DonateForm(request.POST)

        name = request.POST.get('firstName')
        phone = request.POST.get('phone')
        email = request.POST.get('email')
        amount = float("{0:.2f}".format(int(request.POST.get('amount'))))
        ord_id = OrdID()
        cust_id = CustID()

        paytm_params = {
            "MID" : MERCHANTID,
            "WEBSITE" : "DEFAULT",
            "INDUSTRY_TYPE_ID" : "Retail",
            "CHANNEL_ID" : "WEB",
            "ORDER_ID" : ord_id,
            "CUST_ID" : cust_id,
            "MOBILE_NO" : phone,
            "EMAIL" : email,
            "TXN_AMOUNT" : str(amount),
            "CALLBACK_URL" : "https://www.<my_domain>.org/payment/status/",

            }

        paytm_params['CHECKSUMHASH'] = Checksum.generate_checksum(paytm_params, MERCHANTKEY)

        if form.is_valid():
            form.save()

        return render(request, 'paytm.html', {'paytm_params': paytm_params})

    else:
        form = DonateForm()
        context = {'Donate': form}
        return render(request, 'donate.html', context=context)

@csrf_exempt
def handlerequest(request):
    if request.method == "POST":
        form = request.POST
        response_dict = {}

        for i in form.keys():
            response_dict[i] = form[i]

            if i == 'CHECKSUMHASH':
                checksum = form[i]
                print(checksum)

        verify = Checksum.verify_checksum(response_dict, MERCHANTKEY, checksum)

        if verify:
            if response_dict['RESPCODE'] == '01':
                print('order successful')
            else:
                print('error: ' + response_dict['RESPMSG'])

        return render(request, 'paymentstatus.html', {'response': response_dict})

urls.py

urlpatterns = [

    ...

    path('donate', views.donate, name='donate'),
    path('payment/status', views.handlerequest, name='handlerequest'),

    ...
]

[SOLUTION]

Firstly the www. to the url as the answer indicates was the issue. The 404 error was solved like this.

turns out the path in views and the path in urls should be the same. This solved the issue for me.


def donate(request):

    ...

    paytm_params = {
            "MID" : MERCHANTID,
            "WEBSITE" : "DEFAULT",
            "INDUSTRY_TYPE_ID" : "Retail",
            "CHANNEL_ID" : "WEB",
            "ORDER_ID" : ord_id,
            "CUST_ID" : cust_id,
            "MOBILE_NO" : phone,
            "EMAIL" : email,
            "TXN_AMOUNT" : str(amount),
            "CALLBACK_URL" : "https://www.<my_domain>.org/payment/status",
    
    ...

urls.py

urlpatterns = [

    ...

    path('donate', views.donate, name='donate'),
    path('payment/status', views.handlerequest, name='handlerequest'),

    ...
]

Note that in the urls.py the path is as follows payment/status. Previously in views the path had a slash in the end like this https://www.<my_domain>.org/payment/status/. Removing the slash in the end worked for me.

Break it down please, how did you set up let's encrypt service? and what web server you used! — Ahmed Shehab, Jan 15 '21 at 07:57
@AhmedShehab I have edited the question. Please take a look. Thanks again — Sashaank, Jan 15 '21 at 08:35
check inside your static files if you load any image or svg from outer source that is not https — Ahmed Shehab, Jan 15 '21 at 08:48
BTW, It might be something very simple that you misconfigured some parameters in your payment provider's dashboard, go through your configuration again. — Ahmed Shehab, Jan 15 '21 at 10:58
Try to turn off force https from pythonanywhere and test again! — Ahmed Shehab, Jan 16 '21 at 07:46

score 2 · Accepted Answer · answered Jan 25 '21 at 12:26

2

If your site is set up on PythonAnywhere, it's probably at https://www.<my_domain>.org/, not https://<my_domain>.org/. So if your callback URL does not include the www. at the start, then try adding it and see if that fixes the problem.

answered Jan 25 '21 at 12:26

Giles Thomas

6,039
2
33
51

sorry for the late reply. This seems to solve the issue. But this leads to a 404 error. I checked the `urls.py`. I dont think there is a problem with any of the paths. I have edited the question to add the `views.py` code and `urls.py` code. Can you take a look? – Sashaank Jan 28 '21 at 10:15

Ahmed Shehab · Answer 2 · 2021-01-15T08:59:29.480

0

I will just guess now:

either the DNS needs some time to propagate with the payment provider DNS database

inside terminal

# check NS record
nslookup yourdomain.org
# try to force refresh for few times
dig yourdomain.org

please share the output

or what concerns me the most that you are using CDN service or loading assets served on http inside your https
in the browser to left hit on the lock icon and check the certificate and if everything looks good you gotta get in touch with their support again to force refresh their DNS, normally it takes sometime to work automatically.

edited Jan 15 '21 at 08:59

answered Jan 15 '21 at 08:46

Ahmed Shehab

1,657
15
24

Thanks for the reply. There are no images on the callback_url page. Just some basic styling like color and font. – Sashaank Jan 15 '21 at 08:50
I have edited the question to post the result of the `nslookup` and `dig` commands – Sashaank Jan 15 '21 at 08:50
Hi! do you know what is wrong with my program? – Sashaank Jan 15 '21 at 09:59
in the browser to left hit on the lock icon and check the certificate and if everything looks good you gotta get in touch with their support again with screen shot of the valid certificate and ask them to force refresh their DNS, normally it takes sometime to work automatically. As far as I believe you did your thing right as long as you can see valid cert in a browser, they might restrict some kind of A record or something else they can only answer you. – Ahmed Shehab Jan 15 '21 at 10:50
When I click the lock icon, it says `the connection is secure`. And the certificate is valid – Sashaank Jan 15 '21 at 11:38
When you say DNS refresh takes some time to refresh automatically, how long will that be? it is very difficult to get in touch with their technical team. There is no chat option, I have to send them an email which they don't respond to half the time. when they do respond, I have to explain the problem to them by mail and then they give the number to contact. This usually takes around a week, provided they respond. – Sashaank Jan 15 '21 at 11:42
Personally, I would try to mock the request and see what's happening, fake a post request with postman and check the outcome. – Ahmed Shehab Jan 15 '21 at 11:44
Can you explain in detail. As I said I am not too tech-savvy and still learning a lot about this – Sashaank Jan 15 '21 at 11:44
How did this work from my local system with ngrok? Why is it failing only with pythonanywhere – Sashaank Jan 15 '21 at 11:46
DNS propagation is very tied to the provider, normally it takes 5 minutes, but some providers the flush their DNS every 2 hrs or 24 hrs and worst cases is 96 hrs. – Ahmed Shehab Jan 15 '21 at 11:54
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/227383/discussion-between-ahmed-shehab-and-sashaank). – Ahmed Shehab Jan 15 '21 at 13:00

Privacy error using pythonanywhere ssl certificate

[SOLUTION]

2 Answers2

I will just guess now:

Linked