Setup SSL properly

Frappe Framework App Development
1

Hello there,

I am trying to setup ssl properly. I’ve used the following instructions:

The changes do not affect anything on erpnext.

So calling http:// will still be unsecured and does not redirect to https. Of course, I did not even come to this point, since the https-version does not work at all.

Calling https://mysite.local gives me the following error in Firefox:

ssl_error_rx_record_too_long

In Chrome:

ERR_SSL_PROTOCOL_ERROR

I hope someone knows about this. Thank you in advance.

Kind regards

Christoph

2

I had to do manually force https redirection when I bought an SSL certificate, I modified the frappe.conf file located on /etc/nginx/conf.d

Let me try to do this and I’ll give you my output. @ci2016

3

UPDATE

@ci2016

Ok, so I added a separate block on the frappe.conf file

server {
    listen 80;
    server_name site.domain.com;
    return 301 https://$host$request_uri;
}

Then restarted nginx
sudo service nginx restart

Now http redirects to https

Let me know how it works with you.

1 Like
4

The nginx SSL configuration is worth a review before being put into production.

The allowed ciphers include RC4, which is now considered to be insecure.

I am working on a PR to update this, and perhaps add a few more options in the template (bench/bench/templates/nginx.conf).

5

Thank you for your code and instruction. This works for redirecting http to https and so force https, which is a good practice.

But, of course, this doesn’t solve my primary problem, that calling the ERP via https gives me the following error in firefox:

ssl_error_rx_record_too_long

and in Chrome:

ERR_SSL_PROTOCOL_ERROR
6

Can you paste your site_config.json file?

7

Here you go:

{
“ssl_certificate”: “/etc/nginx/ssl/nginx.crt”,
“nginx_port”: 443,
“ssl_certificate_key”: “/etc/nginx/ssl/nginx.key”,
“db_password”: “mydbpassword”,
“db_name”: “mydbname”,
“host_name”: “https://subdomain.hostname.tld”,
“developer_mode”: 0
}

8

I’ve updated my site_config.json based on Home · frappe/bench Wiki · GitHub

Now its the following:

{
“ssl_certificate”: “/etc/letsencrypt/live/sub.domain.tld/fullchain.pem”,
“nginx_port”: 443,
“ssl_certificate_key”: “/etc/letsencrypt/live/sub.domain.tld/privkey.pem”,
“db_password”: “mydbpassword”,
“db_name”: “mydbname”,
“host_name”: “https://sub.domain.tld”,
“developer_mode”: 0
}

I still have the same error.

9

It still doesn’t work. The link above (Home · frappe/bench Wiki · GitHub) also got deleted.

10

@ci2016 One step is missing.

Step 1: After configuring site_config.json like this

$ cd frappe-bench/sites/{{site_name}}
Add the following two lines to your site_config.json
"ssl_certificate": "/etc/letsencrypt/live/example.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/example.com/privkey.pem"

Step 2: On multi-tenant environment by

bench config dns_multitenant on

Step 3: Regenerate the nginx configuration followed by nginx restart

$ bench setup nginx
$ sudo service nginx restart

Bench will configure the SSL block automatically.

Sunil
Nescode // Partner for ERPNext

1 Like
11

@sunilsrikumar Thank you. Unfortunately the error is still the same.

12

I don’t know why, but in my /etc/nginx/conf.d/frappe.conf both server entries were listening to port 443. After changing the first one to 80 it worked.

13

The error ssl_error_rx_record_too_long issue only occurs in Mozilla Firefox. Even if other browsers could have variations of the issue, you probably won’t encounter it when using them. For instance, it states that the website you are attempting to visit is unavailable “because the authenticity of the received data could not be verified.”
There can be many different methods for the error to be solved such as:-

  1. Erase the Cache and History for Your Browser
  2. Update Firefox Browser
  3. Uninstall Extensions
  4. Utilize the HTTP Protocol.

Hope it helps!