Yes. Correct. This way you do not have to mess with the /etc/hosts
Still not working, my exact sitename is ags.v1, my domain is ags.vertexrt.com.au. So I renamed the site directory as mv ags.v1 ags.vertexrt.com.au Still doesnt work
Have you checked that in each site has its own ssl path in its site_config.json?
And no ssl path in common_site_config.json.
I’m not an expert but maybe this can help.
Nope neither site has it nor does the common_site_config file, basically I completely disregarded the frappe let’s encrypt guide. Instead I followed the certbot guide for ubuntu servers. I’ve never tried using it for multiple sites so this is the first time i’m facing this issue
Well… maybe you can add the cert to each site_config accordingly.
"ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"
I use the common_site_config for wildcard ssl.
"wildcard": {
"domain": "domainname.com",
"ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"
}
If you use bench setup add-domain
because your site name is different than the domain name, you can add to the command:
--ssl-certificate TEXT Absolute path to SSL Certificate
--ssl-certificate-key TEXT Absolute path to SSL Certificate Key
Tried adding the certificates alongside path to both the site_config and/or the common_site_config. Did not do the trick
bench setup nginx
and bench setup reload-nginx
?
Sorry, I did not ask -
Are you installing SSL using lets-encrypt certbot?
Did that
I’m not an expert in server and ssl so I run out of ideas.
I guess it’s the multi domain that cause the ssl not running.
My setup is multi tenants with single domain with ssl for each subdomain (each site_config.json has its entry for ssl).
My other setup is multi tenants with single domain and using wildcard for all subdomain (no ssl entry in site_config, but one entry in common_site_config.json)
I also have a site with multi subdomain (added via bench setup add-domain
) and ssl for each subdomain.
The same as you I set the ssl following that certbot web page (but I use CentOS).
Maybe you can check the nginx.conf to see how the ssl is assigned to each domain.
Yeap I added the domain using:
bench setup add-domain www.abc.com --site sitename.local
Then bench setup nginx
and setup reload-nginx
and then I followed the certbot guide for ubuntu, which works perfectly for a single domain or a sub domain
I think you have to bench setup nginx and reload after adding the cert to site_config.json (but I’m not sure).
I’ll try
Okay so the wildcard method does nothing. With each site’s site_config, I pasted the pathways with the appropriate directories as shown and when I run bench setup nginx, it says site_config has errors
EDIT: There was a missing coma at the end of the second line of the ssl path. Now a new issue arises, bench setup nginx works fine but sudo service nginx reload says nginx failed to restart, when i remove the ssl pathways from the site_config.json, sudo service nginx reload works
Check the path, name and availability of the certs in /etc/letsencrypt/
.
Mismatch between the cert in nginx.conf, site_config.json and the actual cert in that directory had caused me same problem.
I think I posted a reply about this problem. Let me try to find it
EDIT: found it NGINX Stopped after renew the SSL - #3 by rahy
Okay, the syntax there is incorrect.
According to the official bench command guide, it should be:
bench setup add-domain --site site1.local [your.domain.here]
bench setup nginx
sudo service nginx reload
And when it comes the certbot guide, I have not found any that work as well as the use of snapd
to handle all of the complicated settings so I don’t have to deal with them. Here is the short version of using snapd
to install certbot and get your ssl certificate:
-
First we need to make sure that ‘certbot’ is not already installed, so we will attempt to remove it just in case
sudo apt-get remove certbot
-
Now we are going to install the package bundle provider and make sure it is all up-to-date with the latest release of ‘snapd’ and let it handle the certbot for us
sudo apt install snapd
sudo snap install core
sudo snap refresh core
-
Now we use ‘snap’ service to automatically install and configure certbot to work perfectly with your new ERPNext server
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
-
Now we can safely use the pre-configured certbot to install your SSL certificate
sudo certbot --nginx
(The system will pause at some point and ask you to select the site name you wish to install the certificate from a list of names it found. Be sure to select the URL you used and not ‘site1.local’ at this point)
Be patient. This process looks like it is not doing anything sometimes for as long as 60 to 90 seconds, but it is actually working in the background. It will respond with questions you need to answer.
One more thing to note…
If you have multiple URL’s pointing to the same site (site1.local) then you will see in the list of sites to select from all of those URL’s plus the site1.local. Run the “sudo certbot --nginx” command multiple times to get certificates for each of the URL’s in your list. Just select a different one each time you run the command. (Don’t select site1.local as it is not a valid URL) I have this scenarios running on several servers right now so I know it works.
Now the next logical question is: “Will this woirk on my system now that I have been messing with all of the files and settings?”
The answer is that I do not know. I use the above set of instructions with all of my new installs and I never try any of the complicated methods you find in google searches or here on the form. I only use the snapd method now.
I never rename the bench or the site1.local directory. The bench commands I use and the snapd certbot method take all of that into consideration for me and work flawlessly for my new installs.
Hope this helps… Trying to figure out all of the syntax for certbot and how to edit all the right files is problematic. The snapd method above avoids all of that.
BKM
Hey,
This is what I did recently - probably a hack, but worked for me:
- installing certbot on the machine (which I think you have already one)
- run
bench setup add-domain <domain> --site <site>
command for each site to make sure eachsite_config.json
had thedomain
value added. - did the
bench setup nginx
thing which would configure necessary blocks innginx.conf
in./config/
of frappe-bench. It is important that you do theadd-domain
command for all necessary sites before this. - Then stopped the
nginx
service usingservice nginx stop
as some part ofcertbot
validation uses the port being used bynginx
. - Then, for each site, did the
sudo certbot certonly --standalone
. Once for each site. This ended up creating folders in/etc/letsencrypt/...
. Just follow instructions on screen. - Once the folders are available, modify the
site_config.json
file as mentioned by a post above (thessl_certificate
andssl_certificate_key
values). At this point there are no further changes required in thesite_config.json
. - At this point, I took backup of
nginx.conf
because next step would modify it. - Then,
sudo certbot certonly --nginx
- which would rebuild thenginx.conf
for you. Now, at this point you will notice that the original and newnginx.conf
would have deviated. This command would comment out some part of the blocks whichbench setup nginx
had configured. - Then, again, I did
sudo certbot certonly -- standalone
- the trick is, at this point it would ask you which certificates to validate and I mentioned all sites which needed to be up. - Restart
nginx
service bysudo service nginx restart
- generally it would fail if your configuration was wrong (in case you manually edited it). Otherwise, check thesite_config.json
in case of failure. System logs has mention of what could have failed.
The problem is that I too wasn’t able to figure out the step 8 and 9 - and in most cases only a single site worked for me a time - usually the first one as all others would just simply fail in validation. But, if we create certificates individually (such that each has a folder in /etc/letsencrypt/live
) and then reconfigure certbot to renew certificate, it would somehow reconfigure them. (I might be wrong and my gut feeling says that step 9 is irrelevant).
I think the step 8 is the one which the document somehow gets wrong (or incomplete) - the certbot
changed nginx
configuration is pretty different from what bench setup nginx
does - but you need both. First one to create shell which certbot will use, and second to actually link to certificates.
Now whenever I have to add a new site, I do the above steps and it seems to work. (And yes, I do have brain-fog in some of the steps as to ‘why’ that is required - but, who cares until it works )
I hope it helps. I have a server working with about 4 separate sites, each with its own valid license. That is Debian 10 - but I don’t think it has any particular OS level dependency.
I shall try this
This post has helped me figure out the solution to how to have both separate sites with different domains to work.
When issuing sudo certbot --nginx
You don’t have to select each domain separately, you have to choose the option to install the certificate on both domains at the same time.
Doing this will fix all the issues and both sites will work… at least it did for me, on v13 with ubuntu 20