Problem setting up let-encrypt

Taher_Khalil · November 13, 2017, 12:48pm

i did sudo bench setup lets-encrypt foodthink

i got error :

Obtaining a new certificate
An unexpected error occurred:
> The request message was malformed :: Error creating new authz :: DNS name does not have enough labels
> Please see the logfiles in /var/log/letsencrypt for more details.
>
IMPORTANT NOTES:

Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
INFO:bench.utils:sudo service nginx start
There was a problem trying to setup SSL for your site

I have a valid domain associated with the site and working…
why isn’t it working

regards,

lukptr · November 13, 2017, 1:03pm

You need to rename your site “foodthink” to as example “foodthink.com” using
mv sites/foothink/ sites/foothink.com/
and set nginx configuration to multitenant mode
sudo bench config dns_multitenant on
sudo bench setup nginx
sudo service nginx restart
and then
sudo bench setup lets-encrypt foodthink.com
bench use foodthink.com

Taher_Khalil · November 13, 2017, 1:20pm

OK , so my sites name is erp.thinkfoodco.com
so i renamed my folder to erp.thinkfoodco.com and put it inside currentsite.text as well .

then did sudo bench setup lets-encrypt erp.thinkfoodco.com
and got the following output

Running this will stop the nginx service temporarily causing your sites to go offline
Do you want to continue? [y/N]: y
INFO:bench.utils:sudo service nginx stop
INFO:bench.utils:/opt/certbot-auto --config /etc/letsencrypt/configs/erp.thinkfoodco.com.cfg certonly
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for erp.thinkfoodco.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/erp.thinkfoodco.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/erp.thinkfoodco.com/privkey.pem
Your cert will expire on 2018-02-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
“certbot-auto renew”

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

nginx.conf already exists and this will overwrite it. Do you want to continue? [y/N]: y
INFO:bench.utils:sudo service nginx start

it looks like everything was smooth but
when i enter my site name erp.thinkfoodco.com its still unsecure …

and the strangest thing is if i enter as www.erp.thinkfoodco.com then i get the sorry we will be back soon page

here is what i have in my sites_config file

“ssl_certificate_key”: “/etc/letsencrypt/live/erp.thinkfoodco.com/privkey.pem”,
“domains”: [
“erp.thinkfoodco.com”

did i do something wrong.?

revant_one · November 13, 2017, 4:08pm

can you share your frappe-bench/config/nginx.conf?

Does it have this part?

# http to https redirect
server {
	listen 80;
	server_name erp.thinkfoodco.com;
	return 301 https://$host$request_uri;
}

Taher_Khalil · November 14, 2017, 11:21am

Heres my nginx.conf from server blocks:

server blocks

server {
listen 80;
server_name
erp.thinkfoodco.com
;

    root /home/global/frappe-bench/sites;





    location /assets {
            try_files $uri =404;
    }

    location ~ ^/protected/(.*) {
            internal;
            try_files /$site_name_unnvoac/$1 =404;
    }

    location /socket.io {
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Frappe-Site-Name $site_name_unnvoac;
            proxy_set_header Origin $scheme://$http_host;
            proxy_set_header Host $host;

            proxy_pass http://frappe-bench-socketio-server;
    }

    location / {
            try_files /$site_name_unnvoac/public/$uri @webserver;
    }

    location @webserver {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                              proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Frappe-Site-Name $site_name_unnvoac;
            proxy_set_header Host $host;
            proxy_set_header X-Use-X-Accel-Redirect True;
            proxy_read_timeout 120;
            proxy_redirect off;

            proxy_pass  http://frappe-bench-frappe;
    }

    # error pages
    error_page 502 /502.html;
    location /502.html {
            root /home/global/.bench/bench/config/templates;
            internal;
    }

    # optimizations
    sendfile on;
    keepalive_timeout 15;
    client_max_body_size 50m;
    client_body_buffer_size 16K;
    client_header_buffer_size 1k;

    # enable gzip compresion
    # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
    gzip on;
    gzip_http_version 1.1;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_vary on;
    gzip_types
            application/atom+xml
            application/javascript
            application/json
            application/rss+xml
            application/vnd.ms-fontobject
            application/x-font-ttf
                                                                                                                          97,1-8        30%
           # text/html is always compressed by HttpGzipModule

}

server {
listen 443;
server_name
erp.thinkfoodco.com
;

    root /home/global/frappe-bench/sites;




    ssl on;
    ssl_certificate      /etc/letsencrypt/live/erp.thinkfoodco.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/erp.thinkfoodco.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers   on;

and many other things but no return 301

revant_one · November 14, 2017, 11:40am

Try if this works,

copy config/nginx.conf (just for backup)
and change server block listening on 80 like following

# http to https redirect
server {
	listen 80;
	server_name erp.thinkfoodco.com;
	return 301 https://$host$request_uri;
}

or run command bench setup nginx it should do the above automatically.

and reload nginx

sudo service nginx reload

Taher_Khalil · November 14, 2017, 6:09pm

Yes that did the trick,
adding return 301 https://$host$request_uri; to the block did it.

Thanks