Only one SSL certificate per bench instance

Yes. Correct. This way you do not have to mess with the /etc/hosts

Still not working, my exact sitename is ags.v1, my domain is ags.vertexrt.com.au. So I renamed the site directory as mv ags.v1 ags.vertexrt.com.au Still doesnt work

Have you checked that in each site has its own ssl path in its site_config.json?
And no ssl path in common_site_config.json.
Iā€™m not an expert but maybe this can help.

Nope neither site has it nor does the common_site_config file, basically I completely disregarded the frappe letā€™s encrypt guide. Instead I followed the certbot guide for ubuntu servers. Iā€™ve never tried using it for multiple sites so this is the first time iā€™m facing this issue

Wellā€¦ maybe you can add the cert to each site_config accordingly.

 "ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
 "ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"

I use the common_site_config for wildcard ssl.

 "wildcard": {
  "domain": "domainname.com",
  "ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
  "ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"
 }

If you use bench setup add-domain because your site name is different than the domain name, you can add to the command:

  --ssl-certificate TEXT      Absolute path to SSL Certificate
  --ssl-certificate-key TEXT  Absolute path to SSL Certificate Key

Tried adding the certificates alongside path to both the site_config and/or the common_site_config. Did not do the trick :confused:

bench setup nginx and bench setup reload-nginx ?

Sorry, I did not ask -
Are you installing SSL using lets-encrypt certbot?

Did that

I followed this : 404 Not Found | Certbot

Iā€™m not an expert in server and ssl so I run out of ideas.
I guess itā€™s the multi domain that cause the ssl not running.

My setup is multi tenants with single domain with ssl for each subdomain (each site_config.json has its entry for ssl).
My other setup is multi tenants with single domain and using wildcard for all subdomain (no ssl entry in site_config, but one entry in common_site_config.json)
I also have a site with multi subdomain (added via bench setup add-domain) and ssl for each subdomain.

The same as you I set the ssl following that certbot web page (but I use CentOS).

Maybe you can check the nginx.conf to see how the ssl is assigned to each domain.

Yeap I added the domain using:

bench setup add-domain www.abc.com --site sitename.local

Then bench setup nginx and setup reload-nginx

and then I followed the certbot guide for ubuntu, which works perfectly for a single domain or a sub domain

I think you have to bench setup nginx and reload after adding the cert to site_config.json (but Iā€™m not sure).

Iā€™ll try

Okay so the wildcard method does nothing. With each siteā€™s site_config, I pasted the pathways with the appropriate directories as shown and when I run bench setup nginx, it says site_config has errors

EDIT: There was a missing coma at the end of the second line of the ssl path. Now a new issue arises, bench setup nginx works fine but sudo service nginx reload says nginx failed to restart, when i remove the ssl pathways from the site_config.json, sudo service nginx reload works

Check the path, name and availability of the certs in /etc/letsencrypt/.
Mismatch between the cert in nginx.conf, site_config.json and the actual cert in that directory had caused me same problem.
I think I posted a reply about this problem. Let me try to find it :slight_smile:

EDIT: found it NGINX Stopped after renew the SSL - #3 by rahy

Okay, the syntax there is incorrect.

According to the official bench command guide, it should be:

bench setup add-domain --site site1.local [your.domain.here]

bench setup nginx

sudo service nginx reload

And when it comes the certbot guide, I have not found any that work as well as the use of snapd to handle all of the complicated settings so I donā€™t have to deal with them. Here is the short version of using snapd to install certbot and get your ssl certificate:

  • First we need to make sure that ā€˜certbotā€™ is not already installed, so we will attempt to remove it just in case
    sudo apt-get remove certbot

  • Now we are going to install the package bundle provider and make sure it is all up-to-date with the latest release of ā€˜snapdā€™ and let it handle the certbot for us
    sudo apt install snapd
    sudo snap install core
    sudo snap refresh core

  • Now we use ā€˜snapā€™ service to automatically install and configure certbot to work perfectly with your new ERPNext server
    sudo snap install --classic certbot
    sudo ln -s /snap/bin/certbot /usr/bin/certbot

  • Now we can safely use the pre-configured certbot to install your SSL certificate
    sudo certbot --nginx

(The system will pause at some point and ask you to select the site name you wish to install the certificate from a list of names it found. Be sure to select the URL you used and not ā€˜site1.localā€™ at this point)
Be patient. This process looks like it is not doing anything sometimes for as long as 60 to 90 seconds, but it is actually working in the background. It will respond with questions you need to answer.

One more thing to noteā€¦
If you have multiple URLā€™s pointing to the same site (site1.local) then you will see in the list of sites to select from all of those URLā€™s plus the site1.local. Run the ā€œsudo certbot --nginxā€ command multiple times to get certificates for each of the URLā€™s in your list. Just select a different one each time you run the command. (Donā€™t select site1.local as it is not a valid URL) I have this scenarios running on several servers right now so I know it works.

Now the next logical question is: ā€œWill this woirk on my system now that I have been messing with all of the files and settings?ā€

The answer is that I do not know. I use the above set of instructions with all of my new installs and I never try any of the complicated methods you find in google searches or here on the form. I only use the snapd method now.

I never rename the bench or the site1.local directory. The bench commands I use and the snapd certbot method take all of that into consideration for me and work flawlessly for my new installs.

Hope this helpsā€¦ Trying to figure out all of the syntax for certbot and how to edit all the right files is problematic. The snapd method above avoids all of that.

BKM

3 Likes

Hey,

This is what I did recently - probably a hack, but worked for me:

  1. installing certbot on the machine (which I think you have already one)
  2. run bench setup add-domain <domain> --site <site> command for each site to make sure each site_config.json had the domain value added.
  3. did the bench setup nginx thing which would configure necessary blocks in nginx.conf in ./config/ of frappe-bench. It is important that you do the add-domain command for all necessary sites before this.
  4. Then stopped the nginx service using service nginx stop as some part of certbot validation uses the port being used by nginx.
  5. Then, for each site, did the sudo certbot certonly --standalone. Once for each site. This ended up creating folders in /etc/letsencrypt/.... Just follow instructions on screen.
  6. Once the folders are available, modify the site_config.json file as mentioned by a post above (the ssl_certificate and ssl_certificate_key values). At this point there are no further changes required in the site_config.json.
  7. At this point, I took backup of nginx.conf because next step would modify it.
  8. Then, sudo certbot certonly --nginx - which would rebuild the nginx.conf for you. Now, at this point you will notice that the original and new nginx.conf would have deviated. This command would comment out some part of the blocks which bench setup nginx had configured.
  9. Then, again, I did sudo certbot certonly -- standalone - the trick is, at this point it would ask you which certificates to validate and I mentioned all sites which needed to be up.
  10. Restart nginx service by sudo service nginx restart - generally it would fail if your configuration was wrong (in case you manually edited it). Otherwise, check the site_config.json in case of failure. System logs has mention of what could have failed.

The problem is that I too wasnā€™t able to figure out the step 8 and 9 - and in most cases only a single site worked for me a time - usually the first one as all others would just simply fail in validation. But, if we create certificates individually (such that each has a folder in /etc/letsencrypt/live) and then reconfigure certbot to renew certificate, it would somehow reconfigure them. (I might be wrong and my gut feeling says that step 9 is irrelevant).
I think the step 8 is the one which the document somehow gets wrong (or incomplete) - the certbot changed nginx configuration is pretty different from what bench setup nginx does - but you need both. First one to create shell which certbot will use, and second to actually link to certificates.

Now whenever I have to add a new site, I do the above steps and it seems to work. (And yes, I do have brain-fog in some of the steps as to ā€˜whyā€™ that is required - but, who cares until it works :smiley:)

I hope it helps. I have a server working with about 4 separate sites, each with its own valid license. That is Debian 10 - but I donā€™t think it has any particular OS level dependency.

I shall try this

This post has helped me figure out the solution to how to have both separate sites with different domains to work.

When issuing sudo certbot --nginx

You donā€™t have to select each domain separately, you have to choose the option to install the certificate on both domains at the same time.

Doing this will fix all the issues and both sites will workā€¦ at least it did for me, on v13 with ubuntu 20

1 Like