使用 pythonanywhere ssl 证书的隐私错误

Question

I have a payment gateway in my web-app that requires an SSL certificate to work properly.

the web-app is a django web-app hosted at pythonanywhere . I used their Auto-renewing Let's Encrypt certificate to add an SSL certificate and make the website load as an HTTPS website.

The website now loads as an HTTPS website but when exiting the payment gateway I still get a Privacy error as follows

Your connection is not private
Attackers might be trying to steal your information from <my domain> (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

I am not sure what I am doing wrong

1. I am using a custom domain that I bought from GoDaddy
2. I followed this link to setup the SSL certificate
3. I have also enabled forcing-https in pythonanywhere.
4. I changed the callback url in my views from http://<my_domain>.org/payment/status/ to https://<my_domain>.org/payment/status/
5. The callback url page does not contain any http links. Just a css file as follows <link rel="stylesheet" href="{% static 'css/paymentstatus.css' %}">

Please note that when I visit the website, it shows as https . It is only when calling the callback URL does it return the Privacy error.

I did not face this error when I tried it in my local system with ngrok . This error occurs only with pythonanywhere .

▶ nslookup mydomain.org
Server:     2405:201:e011:3804::c0a8:1d01
Address:    2405:201:e011:3804::c0a8:1d01#53

Non-authoritative answer:
Name:   mydomain.org
Address: IP_ADDRESS

▶ dig mydomain.org
; <<>> DiG 9.10.6 <<>> mydomain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8056
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.org.      IN  A

;; ANSWER SECTION:
mydomain.org.   225 IN  A   IP_ADDRESS

;; Query time: 2 msec
;; SERVER: 2405:201:e011:3804::c0a8:1d01#53(2405:201:e011:3804::c0a8:1d01)
;; WHEN: Fri Jan 15 14:18:23 IST 2021
;; MSG SIZE  rcvd: 51

I changed the url from https://<my_domain>.org/ to https://www.<my_domain>.org/ . This leads to a 404 error. I have added my views.py and url.py below

def donate(request):
    if request.method == "POST":
        form = DonateForm(request.POST)

        name = request.POST.get('firstName')
        phone = request.POST.get('phone')
        email = request.POST.get('email')
        amount = float("{0:.2f}".format(int(request.POST.get('amount'))))
        ord_id = OrdID()
        cust_id = CustID()

        paytm_params = {
            "MID" : MERCHANTID,
            "WEBSITE" : "DEFAULT",
            "INDUSTRY_TYPE_ID" : "Retail",
            "CHANNEL_ID" : "WEB",
            "ORDER_ID" : ord_id,
            "CUST_ID" : cust_id,
            "MOBILE_NO" : phone,
            "EMAIL" : email,
            "TXN_AMOUNT" : str(amount),
            "CALLBACK_URL" : "https://www.<my_domain>.org/payment/status/",

            }

        paytm_params['CHECKSUMHASH'] = Checksum.generate_checksum(paytm_params, MERCHANTKEY)

        if form.is_valid():
            form.save()

        return render(request, 'paytm.html', {'paytm_params': paytm_params})

    else:
        form = DonateForm()
        context = {'Donate': form}
        return render(request, 'donate.html', context=context)

@csrf_exempt
def handlerequest(request):
    if request.method == "POST":
        form = request.POST
        response_dict = {}

        for i in form.keys():
            response_dict[i] = form[i]

            if i == 'CHECKSUMHASH':
                checksum = form[i]
                print(checksum)

        verify = Checksum.verify_checksum(response_dict, MERCHANTKEY, checksum)

        if verify:
            if response_dict['RESPCODE'] == '01':
                print('order successful')
            else:
                print('error: ' + response_dict['RESPMSG'])

        return render(request, 'paymentstatus.html', {'response': response_dict})

urlpatterns = [

    ...

    path('donate', views.donate, name='donate'),
    path('payment/status', views.handlerequest, name='handlerequest'),

    ...
]

[SOLUTION]

Firstly the www. to the url as the answer indicates was the issue. The 404 error was solved like this.

turns out the path in views and the path in urls should be the same. This solved the issue for me.

def donate(request):

    ...

    paytm_params = {
            "MID" : MERCHANTID,
            "WEBSITE" : "DEFAULT",
            "INDUSTRY_TYPE_ID" : "Retail",
            "CHANNEL_ID" : "WEB",
            "ORDER_ID" : ord_id,
            "CUST_ID" : cust_id,
            "MOBILE_NO" : phone,
            "EMAIL" : email,
            "TXN_AMOUNT" : str(amount),
            "CALLBACK_URL" : "https://www.<my_domain>.org/payment/status",
    
    ...

urls.py

urlpatterns = [

    ...

    path('donate', views.donate, name='donate'),
    path('payment/status', views.handlerequest, name='handlerequest'),

    ...
]

Note that in the urls.py the path is as follows payment/status . Previously in views the path had a slash in the end like this https://www.<my_domain>.org/payment/status/ . Removing the slash in the end worked for me.

Answer 1

If your site is set up on PythonAnywhere, it's probably at https://www.<my_domain>.org/ , not https://<my_domain>.org/ . So if your callback URL does not include the www. at the start, then try adding it and see if that fixes the problem.

Answer 2

I will just guess now:

• either the DNS needs some time to propagate with the payment provider DNS database

inside terminal

# check NS record
nslookup yourdomain.org
# try to force refresh for few times
dig yourdomain.org

please share the output

• or what concerns me the most that you are using CDN service or loading assets served on http inside your https

• in the browser to left hit on the lock icon and check the certificate and if everything looks good you gotta get in touch with their support again to force refresh their DNS, normally it takes sometime to work automatically.