1

I have a Django site which is hosted on GCP App Engine with SendGrid as email host. When resetting the password and clicking on the link in the following email, the subsequent error is thrown:

Your connection is not private
NET::ERR_CERT_COMMON_NAME_INVALID

I've looked into several potential causes (linked at the end) but haven't been able to find a solution.

password_reset_email.html (only displaying the reset_link block)

{% block reset_link %}
{{ protocol }}://{{ domain }}{% url 'password_reset_confirm' uidb64=uid token=token %}
{% endblock %}

settings.py

ALLOWED_HOSTS = ['*']
# Also tried with
#ALLOWED_HOSTS = ['*', 'website.com', 'www.website.com']

# HTTPS settings
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True

# HSTS settings
SECURE_HSTS_SECONDS = 31536000 # 1 year
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

# Email backend settings (SendGrid)
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
DEFAULT_FROM_EMAIL = 'some@email.com'
EMAIL_HOST = 'smtp.sendgrid.net'
EMAIL_HOST_USER = 'apikey'
EMAIL_HOST_PASSWORD = 'EMAIL_HOST_PASSWORD'
EMAIL_PORT = 587
EMAIL_USE_TLS = True

I have authenticated the domain and branded the link on SendGrid which have been verified over the DNS records on Namecheap.

When I look at the certificate in the browser it still refers to *.sendgrid.net though. Perhaps this might be causing it? I thought authentication and link branding would solve that. I've also tried emptying the cache and opening the link in a private window.

I've looked into this, this and this SO question as well.

Any help would be appreciated.

EDIT

Turns out it's related with this SO question as well.

Jakob
  • 663
  • 7
  • 25
  • Please verify this [document] (https://www.digitalocean.com/community/questions/after-adding-my-domain-to-allowed_hosts-in-django-settings-i-am-still-getting-a-502-error-not-sure-why-my-settings-are-not-recognized ) and let me know if the problem has been resolved or not. – Abhijith Chitrapu Oct 16 '21 at 15:02
  • Thanks for your suggestion @abhi-chitrapu. I've tried what's in the link but it doesn't change anything. Still the same error. According to the [`settings.py` file](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/appengine/standard/django/mysite/settings.py#L42) on GCP's GitHub account it should be fine to leave it with a single `*`. "App Engine's security features ensure that it is safe to have `ALLOWED_HOSTS = ['*']` when the app is deployed." – Jakob Oct 16 '21 at 18:48
  • First we should understand why NET::ERR_CERT_COMMON_NAME_INVALID error is caused In most cases it has to do with the SSL certificate. Sometimes non WWW domains are red flagged. Try to create it with a different scenario to check where the actual problem is? Whether it is from django or sendgrid or GCP. For example in wordpress site settings you should include WP address URL and site URL. Adding ‘s’ in https will break your site .Looking at your stack, first check with django. – Abhijith Chitrapu Oct 17 '21 at 16:34
  • Do you have click tracking enabled without setting up [SSL click tracking](https://docs.sendgrid.com/ui/analytics-and-reporting/click-tracking-ssl)? – philnash Oct 17 '21 at 23:06
  • 1
    I have submitted a request to the SendGrid support to have SSL click and open tracking enabled via CloudFlare following the link you provided above @philnash. Not sure how long this will take so just wanted to add this comment to keep you both updated. [This recent answer](https://stackoverflow.com/a/69064330/8162025) happen to suggest the same thing though. – Jakob Oct 18 '21 at 20:01
  • 1
    This went faster than expected. Just as you both pointed out, SSL wasn't properly configured. Enabling [SSL click tracking](https://docs.sendgrid.com/ui/analytics-and-reporting/click-tracking-ssl#configuring-ssl-certificates-and-keys) did the job and it was all setup within 48h. Do you add it as an answer @philnash? – Jakob Oct 20 '21 at 07:45
  • Glad to hear it’s all working! I’ve added an answer. – philnash Oct 20 '21 at 07:49

1 Answers1

3

Twilio SendGrid developer evangelist here.

You will need to get SSL Click Tracking turned on so that your CDN can forward SSL content onto SendGrid with a valid certificate for your domain.

philnash
  • 70,667
  • 10
  • 60
  • 88