I successfully created single certs for the first site and its add-on domain. Each had own cert and bench wrote them in the site_config.json correctly.
The nginx.conf also seems correct because I then could access the site with https (both domains). The certs created are
along with the single domain (site.com) and subdomain (www.site.com) certs.
The process with setting up ssl and nginx successfully listed the domain site.com with the site.com-0001 cert.
But it can’t be accessed.
I changed it back to use the site.com cert and it can be accessed again.
I use the 0001 cert with www.site.com also fail.
I tried to find the docs to setup wildcard ssl with multitenant but can’t find one.
Can somebody show me the right direction in setting up this?
adding custom domain www.site.com, after do bench add-domain update the domains parameter in the site_config.json can be accessed without adding ssl info under domains parameter.
in nginx.conf, the custom domain has its own listen 443 ssl.
create new site with bench new-site.
nginx setup list this new site under the first site in server blocks in listen 443 ssl
listen 443 ssl;
but I can’t access this new domain with http or https.
add the ssl parameters to the site2 site_config.json, bench setup nginx, reload nginx… still can’t access the site.
in the nginx.conf the site2 is listed separately under its own listen 443 ssl.
Sorry for this long post. But I hope this can be a reference to anyone new in setting up LE’s wildcard ssl.
So up to now I still can’t access multi site with wildcard ssl.
I just come to think that the problem is in my install of bench that doesn’t serve multitenant (it is on I verified).
My last try: use single ssl for each site or maybe without ssl. If I can’t access then it’s my install of bench is the problem
Once you’re sure that your install is on dns based multitenancy, I don’t think you should have any issues
Yes, the references to the certs are correctly placed in the common_site_config file and not site_config
If you went through the link I shared carefully, you’d notice there’s a flag if you want to exclude the base domain, else, both certificates would be requested
In your case, since you already had certificates for “domain.com” , you should have excluded the base domain
Also, the wildcard certificate works for subdomains which is why it’s depicted as “*.domain.com” …this means that your new site must have a name like 'site2.domain.com" for the wildcard certificate to be applied to it
You may also need to update and reload Nginx after making any changes:
Actually, this is a good solution yet annoying.
Running the command sudo certbot --nginx will create the certs and update the nginx.conf so the site can be accessed securely.
But, it doesn’t write the site_config.json with the ssl entry.
So the next time you run bench setup nginx will wipe the ssl entry from the nginx.conf. And your site is back to unsecured.
So I have a suggestion to the frappe bench team:
Rewrite the bench setup lets-encrypt and bench setup wildcard-ssl. Their use to create the ssl has been broken by the deprecation of certbot-auto anyway.
Repurpose these command to, instead of taking the ssl path from site_config.json and update nginx.conf, now make them take the path from nginx.conf and write it to the site_config.json and common_site_config.json (in case of wildcard).
This way we can create the certs with sudo certbot --nginx
and place it in the site_config.json with bench setup lets-encrypt.
Then running bench setup nginx will not ruin anything.
One if the purpose of bench setup lets-encrypt and bench setup wildcard-ssl command is to take the path of the ssl (created by certbot-auto inherent in these vommands) and put it in the site_config.json and/or common_site_config.json.
And one of the purpose of bench setup nginx is to take the path from the configs and put it in the nginx.conf.
Then the site can be accessed with ssl.
But since the deprecation of certbot-auto, the process doesn’t work anymore.
Using certbot (from snapd) creates the certs and write the path to nginx.conf. Nothing to the site config files.
So the bench setup nginx thinks the sites don’t have certs and remove the entries from nginx.conf. And put the domain in the 80 servers.
Hence my suggestion to change the commands purpose
sudo certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d *.my.domain
I’m not yet used to using certbot with frappe. When not using a wildcard, for example, running certbot --nginx -d a.sub.domain will install a cert but all other sites in the bench get disturbed. So I have to run certbot for all sites everytime.
Thank you for checking Rahy! If you have any insights, please do share.