How to configure multi-tenancy sites, each with a separate domain and SSL certificate

Hello all

FF v15.56
ERPNext v15.53
bench v5.23

I’m setting up a production environment for multiple sites, each having their own domain and wildcard SSL certificate.

After the sites were created and various apps installed

bench config dns_multitenant on
bench setup add-domain --site site1.prod domain1.tld
bench setup add-domain --site site2.prod domain2.tld

However, when I configure nginx, I can only get one SSL wildcard certificate to be active as

sudo bench setup wildcard-ssl domain2.tld

will overwrite nginx.conf, destroying the configuration for domain1.tld

Furthermore

bench setup nginx
sudo service nginx reload

does not configure nginx for both SSL certificates

Does anyone have some insight as to how to achieve the above scenario?

Hi there,

I’m not familiar with the wildcard-ssl command, but the add-domain command has optional parameters specifying ssl cert locations (specific to that domain). You could also edit the site config directly.

https://docs.frappe.io/framework/v14/user/en/bench/guides/adding-custom-domains

Thanks so much @peterg

I ended up editing the nginx.conf directly.

I duplicated the server section for port 443, and making minor changes for the domain and SSL definitions. It seems to work fine.

However I’m now stuck with a nginx.conf which I cannot maintain from bench invocactions, as I would have to apply manual intervention to ensure all is still fine.

Maybe someone else has a better / more scalable solution?

You definitely don’t want to edit nginx.conf directly. If that’s what you thought I was suggesting, we’re misunderstanding each other.

Did you try using the method described in the link I posted? It’s not clear to me from your reply. Unless I’m misunderstanding your goals, it should do exactly what you want.

Thanks @peterg

No, I understood perfectly what you were saying in your post prior to you editing it.

I just did not bother too much with cleaning up the various site_config.json files (12 of them) to remove various aspects, such as an existing domains definition and the various wildcard definitions, which did not allow for running add-domain again.

What complicated matters more is that I ended up with a global wildcard definition in addition to wildcard definitions per site !?

I resorted to first figuring out whether I actually need a wildcard definition at all, global or site specific, and thought the fastest way of getting things working was to edit nginx.conf directly. I understand it is an interim solution.

My understanding at this moment is that I can link each site to a specific domain, each with it’s own SSL certificate, using

bench setup add-domain --site site1.prod --ssl-certificate /etc/letsencrypt/live/domain1.tld/fullchain.pem --ssl-certificate-key /etc/letsencrypt/live/domain1.tld/privkey.pem domain1.tld

This should work irrespective of the SSL certificate being a wildcard certificate or not, hence there should be no need for a wildcard definition in any site_config.json. But I have a bit of work cleaning up the various site_config.json files first before I can invoke the above bench setup add-domain on each site.

I’m not really following, but if you don’t want to run an add-domain command again, you can just add the domain-specific cert paths to your site_config.json files manually. The format is described in the same link.

Yes, I understand that.
However, bench setup add-domain, complains that it cannot proceed when the site_conf.json already contains a domains definition, and terminates. So in order to invoke this bench command I need to clean up all the site_conf.json files first. Plus I have to remove all of the wildcard definitions too. All of this was way too much work compare to quickly duplicating the 443 server block in nginx.conf.

Okay. If that’s working for you, glad to hear it.

1 Like

Once I’ve tested the effect wildcard definitions in site_conf.json has on the resulting nginx.conf, I report back here to inform others.