Having difficulty setting up Let's Encrypt

I am trying to get lets-encrypt setup but I am getting Nginx errors. Here is what I tried to do…

bench use site1.local
bench config dns_multitenant on
bench setup add-domain --site site1.local erp.local
sudo -H bench setup lets-encrypt site1.local --custom-domain erp.local

I get that far then get the following…

Running this will stop the nginx service temporarily causing your sites to go offline
Do you want to continue? [y/N]: y
$ sudo systemctl stop nginx
$ /opt/certbot-auto  --config /etc/letsencrypt/configs/erp.local.cfg certonly
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
nginx.conf already exists and this will overwrite it. Do you want to continue? [y/N]: y
$ sudo systemctl start nginx
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

journalctl gives me this…

-- Unit nginx.service has begun starting up.
Apr 23 16:16:47 ubuntu nginx[18841]: nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/site1.local/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:f
Apr 23 16:16:47 ubuntu nginx[18841]: nginx: configuration file /etc/nginx/nginx.conf test failed
Apr 23 16:16:47 ubuntu systemd[1]: nginx.service: Control process exited, code=exited status=1
Apr 23 16:16:47 ubuntu systemd[1]: nginx.service: Failed with result 'exit-code'.
Apr 23 16:16:47 ubuntu systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit nginx.service has failed.

Some additional info…

• Ubuntu 18.04.4 LTS Virtual Machine
• Using a local domain, and will not be used outside of organization.
• I have no issues with Nginx when reverting back to Port based multitenancy only DNS based multitenancy

Perhaps you can try the steps in the following discussion,

Installing SSL on v13 - ERPNext - Discuss Frappe/ERPNext

Thanks, I am further along but still no luck.

My nginx.conf file was goofed up. I noticed that it was not happy with the added domain after I ran bench setup nginx.

So I removed it… bench setup remove-domain --site site1.local erp.local & re-ran bench setup nginx and nginx was happy again.

I installed cerbot manually and ran sudo certbot --nginx as you suggested but it is not happy that I am using a local domain name. Not sure if I still need lets-encrypt if I am only using this on a local network.

However, at this point I do get redirected to https now but I am getting the “Sorry! We Will be back soon.” landing page.

Maybe I am misunderstanding if I need let’s encrypt or not.

Currently ERPNext is setup and can be accessed via http://192.168.1.100/, or http://erpnext/. The site name uses the default (site1.local). This instance will only be accessed on the local network, not from the internet.

I am trying to enable https and I thought lets-encrypt is needed but I am not sure if it is or not. Since this is running on a VM I reverted it back to an eariler snapshot and tried again. This time I tried the following…

bench use site1.local
bench config dns_multitenant on

openssl req -new -newkey rsa:2048 -nodes -keyout erpnext.local.key -out erpnext.local.crt
chown root erpnext.local.key
chmod 600 erpnext.local.key
mkdir /etc/nginx/conf.d/ssl
mv erpnext.local.key /etc/nginx/conf.d/ssl/
mv erpnext.local.crt /etc/nginx/conf.d/ssl/

bench set-ssl-certificate site1.local /etc/nginx/conf.d/ssl/erpnext.local.crt
bench set-ssl-key site1.local /etc/nginx/conf.d/ssl/erpnext.local.key
bench setup nginx
sudo service nginx reload

I feel like this would work for https but I am missing something because it redirects to https but loads the “Sorry!” 504 page. Shouldn’t this work even though the cert is self-signed?

For letsencrypt to work, the domain must be resolvable to a public ip over the internet. In your case, i dont think it will work since it is hosted on a local machine and is not accessible over internet.

Ok, do you know if it is still possible to enable HTTPS then for use on a local network? My IT person is pushing for it to use SSL even if it never is accessible via internet.

You don’t need to use bench for letsencrypt.
You use certbot --nginx which you may know about in the letsencrypt website.

To get an ssl from letsencrypt, you need a valid domain because that is the requirement for letsencrypt.

If you want to use ssl over local intranet, you can generate you own ssl certs and do manual configuration on Frappe.

Ok, I think I set up ssl using a self-signed cert successfully. It redirects to https when I go to the address or hostname but then I get the 504 page.

Is there something else that I am missing?

[edit] It works fine when multi-tanant is no but https stops working.

I think there is some guidance on FrappeFramework documentation regarding setting up manual ssl.

I always use letsencrypt because I use VPS even for development.

Last year, I used ssl on a local intranet, but I placed it it run_simple function of werkzeug. So, I had to revise the frappe code a little bit.

That might be over my head but I looked at the nginx logs and got the following…

access.log

2021/04/26 12:56:23 [error] 3193#3193: *1609 upstream prematurely closed connection while reading response header from upstream, client: 192.168.0.201, server: site1.local, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8000/", host: "192.168.0.104"
2021/04/26 12:56:23 [error] 3193#3193: *1609 upstream prematurely closed connection while reading response header from upstream, client: 192.168.0.201, server: site1.local, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:8000/favicon.ico", host: "192.168.0.104", referrer: "https://192.168.0.104/"

error.log

192.168.0.201 - - [26/Apr/2021:12:56:22 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
192.168.0.201 - - [26/Apr/2021:12:56:23 +0000] "GET / HTTP/1.1" 502 5444 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
192.168.0.201 - - [26/Apr/2021:12:56:23 +0000] "GET /favicon.ico HTTP/1.1" 502 5444 "https://192.168.0.104/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"

Shouldn’t the HTTP GET be HTTPS ? Could that be why I am getting a 504 error?

Generate a self-signed certificate and assign it to the nginx conf of the site.

You will have to do these manually and I don’t know if there is any documentation in ERPnext for self-signed certificate.
Youtube will have many videos on how to generate a self-signed certificate and assign it in nginx conf.

You will add you have to add this certificate to whitelist in the browser where you want to access the site, as most browsers throw exceptional warning when using self-signed certificate.

Good luck.

I cheated a bit and put my ssl right in the werkzeug’s run_simple function.

run_simple(‘localhost’, 4000, application, ssl_context=(‘/path/to/the/key.crt’,
‘/path/to/the/key.key’))

This line is from the werkzeug documentation. The applicable part is ssl_context.

I am pretty sure I set up the self signed cert correctly. I found some more info in the logs…

frappe-bench/logs/web.log

Site 192.168.0.104 does not exist

This error does not happen when dns mutlitenant is off.

I compared the nginx.conf files and found that the $host was used when mutlitenant was on. I believe this was causing things to get routed incorrectly and caused my 504 error.

I am not sure what the correct way to do this is but for now, I manually edited the ~/frappe-bench/config/nginx.conf file by replacing all instances of $host with site1.local except for the one used in the http redirect section.