Dns_multitenant issue with second site. Using the same SSL cert

Iulian_Olaru · June 24, 2022, 3:35am

Hi guys,
I have successfully installed the second site on v13, everything is running smooth except: when I install the SSL certificate on the second site, the first site stops working

It seems for some reason either there is a misconfiguration in nginx or certbot doesn’t install a new certificate for each site as I am telling it to do.

Your assistance will be greatly appreciated … the entire config of nginx is standard as per enabled by dns_multitenant and bench setup nginx

Thank you in advance. Here is the nginx.conf file

upstream frappe-bench-frappe {
        server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
        server 127.0.0.1:9000 fail_timeout=0;
}



# setup maps

map $host $site_name_hqaxcjx {
        management.neptunescubadiving.com management.neptunescubadiving.com;
        management.neptuneliveaboards.com management.neptuneliveaboards.com;
        default $host;

}

# server blocks

server {


        server_name
                management.neptunescubadiving.com
                management.neptunescubadiving.com
                management.neptuneliveaboards.com
                management.neptuneliveaboards.com
                ;

        root /home/erpnext/frappe-bench/sites;


        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;



        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";

        location /assets {
                try_files $uri =404;
        }

        location ~ ^/protected/(.*) {
                internal;
                try_files /$site_name_hqaxcjx/$1 =404;
        }

        location /socket.io {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Frappe-Site-Name $site_name_hqaxcjx;
                proxy_set_header Origin $scheme://$http_host;
                proxy_set_header Host $host;

                proxy_pass http://frappe-bench-socketio-server;
        }

        location / {

                rewrite ^(.+)/$ $1 permanent;
                rewrite ^(.+)/index\.html$ $1 permanent;
                rewrite ^(.+)\.html$ $1 permanent;

                location ~ ^/files/.*.(htm|html|svg|xml) {
                        add_header Content-disposition "attachment";
                        try_files /$site_name_hqaxcjx/public/$uri @webserver;
                }

                try_files /$site_name_hqaxcjx/public/$uri @webserver;
        }

        location @webserver {
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Frappe-Site-Name $site_name_hqaxcjx;
                proxy_set_header Host $host;
                proxy_set_header X-Use-X-Accel-Redirect True;
                proxy_read_timeout 120;
                proxy_redirect off;

                proxy_pass  http://frappe-bench-frappe;
        }

        # error pages
        error_page 502 /502.html;
        location /502.html {
                root /usr/local/lib/python3.8/dist-packages/bench/config/templates;
                internal;
        }

        # optimizations
        sendfile on;
        keepalive_timeout 15;
        client_max_body_size 50m;
        client_body_buffer_size 16K;
        client_header_buffer_size 1k;

        # enable gzip compresion
        # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
        gzip on;
        gzip_http_version 1.1;
        gzip_comp_level 5;
        gzip_min_length 256;
        gzip_proxied any;
        gzip_vary on;
        gzip_types
                application/atom+xml
                application/javascript
                application/json
                application/rss+xml
                application/vnd.ms-fontobject
                application/x-font-ttf
                application/font-woff
                application/x-web-app-manifest+json
                application/xhtml+xml
                application/xml
                font/opentype
                image/svg+xml
                image/x-icon
                text/css
                text/plain
                text/x-component
                ;
                # text/html is always compressed by HttpGzipModule

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/management.neptunescubadiving.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/management.neptunescubadiving.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}

I also tried setting: bench set-nginx-port management.neptuneliveaboards.com 82

However that doesn’t update the nginx.conf file

Iulian_Olaru · June 24, 2022, 11:07am

Does anyone know what’s the issue in this particular case ?

Thank you in advance.

Tufan_Kaynak2 · June 24, 2022, 11:24am

Had the same issue last week. Gave up on trying.

Iulian_Olaru · June 24, 2022, 12:07pm

There must be a way to do this… it can’t be that buggy

I’m on v13 on Ubuntu 20

This is a major issue because it means you can’t use the second website.

netmanthan · June 24, 2022, 3:48pm

DNS based multitenancy
You can name your sites as the hostnames that would resolve to it. Thus, all the sites you add to the bench would run on the same port and will be automatically selected based on the hostname.

To make a new site under DNS based multitenancy, perform the following steps.

Switch on DNS based multitenancy (once)

bench config dns_multitenant on

Create a new site

bench new-site site2name

Re generate nginx config

bench setup nginx

Reload nginx

sudo service nginx reload

Iulian_Olaru · June 25, 2022, 12:42am

Thank you for your reply.

That’s precisely the steps I took. Additionally at the end I had to generate an SSL certificate with sudo certbot --nginx

Because without the SSL the site was not reachable.

And this is where the problem is… for some reason, if I install an SSL on one site, the other site stops working.

Iulian_Olaru · June 25, 2022, 1:14am

I managed to figure it out.

When using sudo certbot --nginx

You have to select the option of installing the certificate on both domains at the same time. This will install the SSL certificate correctly and generate the correct nginx.conf file.

Voila, both sites are now working.