SSL Setup for Bench and CloudFare

try this:
frappe-bench$ sudo systemctl enable supervisor
frappe-bench$ sudo reboot

1 Like

Hey @komsel2228
Your suggestion worked. Now the site is loading normally.
But now I’m unable to install fail2ban … even apt-get update is not working! Any clues?

[update]
I reboot the server and apt-get is now working. However, “bench update” is not working…It throws following errors…
XX–XX–XX–XX
Traceback (most recent call last):
File “/usr/local/bin/bench”, line 11, in
load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
File “/home/frappe/.bench/bench/cli.py”, line 40, in cli
bench_command()
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 716, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 696, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 534, in invoke
return callback(*args, **kwargs)
File “/home/frappe/.bench/bench/commands/update.py”, line 30, in update
patches.run(bench_path=‘.’)
File “/home/frappe/.bench/bench/patches/init.py”, line 21, in run
result = execute(bench_path)
File “/home/frappe/.bench/bench/patches/v3/celery_to_rq.py”, line 7, in execute
frappe_branch = get_current_branch(‘frappe’, bench_path)
File “/home/frappe/.bench/bench/app.py”, line 171, in get_current_branch
return get_cmd_output(“basename $(git symbolic-ref -q HEAD)”, cwd=repo_dir)
File “/home/frappe/.bench/bench/utils.py”, line 321, in get_cmd_output
return subprocess.check_output(cmd, cwd=cwd, shell=True, stderr=open(os.devnull, ‘wb’)).strip()
File “/usr/lib/python2.7/subprocess.py”, line 567, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File “/usr/lib/python2.7/subprocess.py”, line 711, in init
errread, errwrite)
File “/usr/lib/python2.7/subprocess.py”, line 1343, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory: ‘./apps/frappe’
XX–XX–XX–XX

Is your present working directory frappe-bench?
bench commands should be run in frappe-bench directory.

Hi @KanchanChauhan

Thanks for your reply. I tried to run “sudo bench update” from the directory /home/frappe/frappe-bench and received following error:

XX–XX–XX–XX–XX
INFO:bench.utils:updating bench
remote: Counting objects: 12, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 12 (delta 10), reused 12 (delta 10), pack-reused 0
Unpacking objects: 100% (12/12), done.
From GitHub - frappe/bench: CLI to manage Multi-tenant deployments for Frappe apps
b07de26…164bc13 master → origin/master
Updating b07de26…164bc13
error: Your local changes to the following files would be overwritten by merge:
bench/patches/v4/update_node.py
playbooks/develop/ubuntu.yml
Please, commit your changes or stash them before you can merge.
Aborting
Traceback (most recent call last):
File “/usr/local/bin/bench”, line 11, in
load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
File “/home/frappe/.bench/bench/cli.py”, line 40, in cli
bench_command()
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 716, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 696, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 534, in invoke
return callback(*args, **kwargs)
File “/home/frappe/.bench/bench/commands/update.py”, line 34, in update
update_bench()
File “/home/frappe/.bench/bench/utils.py”, line 227, in update_bench
exec_cmd(“git pull”, cwd=cwd)
File “/home/frappe/.bench/bench/utils.py”, line 127, in exec_cmd
raise CommandFailedError(cmd)
bench.utils.CommandFailedError: git pull
XX–XX–XX–XX–XX

For “bench update” i.e. without sudo, I receive following error:

XX–XX–XX–XX–XX
Traceback (most recent call last):
File “/usr/local/bin/bench”, line 11, in
load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
File “/home/frappe/.bench/bench/cli.py”, line 40, in cli
bench_command()
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 716, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 696, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 1057, in invoke
Command.invoke(self, ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 534, in invoke
return callback(*args, **kwargs)
File “/home/frappe/.bench/bench/commands/init.py”, line 21, in bench_command
setup_logging(bench_path=bench_path)
File “/home/frappe/.bench/bench/utils.py”, line 265, in setup_logging
hdlr = logging.FileHandler(log_file)
File “/usr/lib/python2.7/logging/init.py”, line 913, in init
StreamHandler.init(self, self._open())
File “/usr/lib/python2.7/logging/init.py”, line 943, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: ‘/home/frappe/frappe-bench/logs/bench.log’
XX–XX–XX–XX–XX

Any suggestions?

I just tried setting up SSL certificate.

First I generated my own SSL certificate with these commands:
sudo mkdir /PATH/TO/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /PATH/TO/ssl/nginx.key -out /PATH/TO/ssl/nginx.crt

Then I followed steps mentioned on this URL but unfortunately this doesn’t work.

My server is behind CloudFlare. When I switch from Flexible to Full (in Crypto SSL settings), it shows web-server is down. When I switch back from Full to Flexible the server again goes up.

I have setup a page rule on CloudFlare to force HTTPS on my ERP server URL.

Any idea to resolve this?

Hi @rmehta
The errors shown above are still hounding my server. Can you please spare few minutes and revert with possible solution for the issue?

@saurabh

You shouldn’t run bench commands as root. To fix this, do :

chown -R frappe:frappe frappe-bench outside the frappe-bench folder. And then you’ll have to go into the erpnext and frappe app folders in frappe-bench/apps/ and then run git reset --hard. Then try bench update again without sudo as the frappe user.

I don’t think self-signed certificates will work. The reason “Flexible” setup works on Cloudflare, is because in that scenario the server and Cloudflare’s connection is not secure. “Full” setup requires SSL between the server and Cloudflare. Your SSL wasn’t working.

You can use Let’s Encrypt to get SSL on your server. There’s a handy command for that in bench. Use it so:

bench setup lets-encrypt [site-name]

Hi @vjFaLk

Thanks for your response. Unfortunately, your fix didn’t worked for updating setup. I used following steps:

1.) cd /home/frappe/frappe-bench/apps/erpnext

2.) sudo git reset --hard
Above command returned:
HEAD is now at a8b8d81 Merge branch ‘hotfix’

3.) cd /home/frappe/frappe-bench/apps/frappe

4.) sudo git reset --hard
Above command returned:
HEAD is now at 5b83bb4 Merge branch ‘hotfix’

5.) cd /home/frappe/frappe-bench

6.) bench update --user frappe
Above command returned following error:

Traceback (most recent call last):
File “/usr/local/bin/bench”, line 11, in
load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
File “/home/frappe/.bench/bench/cli.py”, line 40, in cli
bench_command()
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 716, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 696, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 1057, in invoke
Command.invoke(self, ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 534, in invoke
return callback(*args, **kwargs)
File “/home/frappe/.bench/bench/commands/init.py”, line 21, in bench_command
setup_logging(bench_path=bench_path)
File “/home/frappe/.bench/bench/utils.py”, line 265, in setup_logging
hdlr = logging.FileHandler(log_file)
File “/usr/lib/python2.7/logging/init.py”, line 913, in init
StreamHandler.init(self, self._open())
File “/usr/lib/python2.7/logging/init.py”, line 943, in _open
stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: ‘/home/frappe/frappe-bench/logs/bench.log’

Also, no luck with SSL using LetsEncrypt. When I enter the following command:

1.) cd /home/frappe/frappe-bench/

2.) sudo bench setup lets-encrypt site1.local
Above command returns following error:
You cannot setup SSL without DNS Multitenancy

Due to above error, I had to use the normal HTTPS setup which failed. I have setup other normal websites with self-signed certificates and they work like a charm through CloudFlare FULL SSL setting. As per CloudFlare, followin settings works as explained below:
FLEXIBLE: Need not have any SSL on server but connection from CF CDN to your server would not be encrypted, yet the browser will show HTTPS enabled on the site.
FULL: Need to have a SSL on the server (may that even be self-signed). The connection from visitor to the server is encrypted throughout.
STRICT: Need to have a VALID SSL issued by an authorized CA. The connection from visitor to the server is encrypted throughout.

So when I self-sign the certificate, it should work here in ERPNext setup too.

Suggestions to resolve would be highly appreciated!!

Please don’t use sudo for git commands. I’d suggest repeating my previous commands from the top without sudo.

Your site is named ‘site1.local’, which is a problem. It should be named according to your actual domain. The reason your self-signed certificate didn’t work, was the same reason. You need to rename your site.

@vjFaLk

I use following command and it returns shown error:

COMMAND: git reset --hard
ERROR: fatal: Unable to create ‘/home/frappe/frappe-bench/apps/frappe/.git/index.lock’: Permission denied

Regarding SSL: Can you advise how to change site name without breaking/disturbing other site settings?

Please don’t call out users. Point 2

If you need urgent help. Hire a freelancer.

1 Like

Hi @vjFaLk

[UPDATE]

I tried to individually run the following commands for updating ERPNext (I had to use “sudo” to run these commands and without “sudo” it didn’t worked):

bench update --pull
bench update --patch
bench update --build
bench update --bench
bench update --requirements

Amongst the above, all commands ran like a charm, except this one:

bench update --bench

It seems there is some issue with “bench” pulling updates from “git”. Any suggestions now?

Hi @vjFaLk

[UPDATE]

I reinstalled complete setup on a fresh server (Ubuntu 14.04.5 this time) and I’m able to update setup using following commands:

1.) cd /home/frappe/frappe-bench/

2.) sudo bench update

Above commands fails without sudo.

SSL is still haunting me. I don’t know how to change site-name. I tried using following command to add my domain to the setup:

bench setup add-domain my.domain.com

This command returns no error and the config file shows the updated domain but SSL still fails over CloudFlare. Suggestions would be highly appreciated!

TIA

Did you get SSL certificates?

Hi @vjFaLk

Yes. I purchased new SSL from Comodo - PositiveSSL.

Now even my site name is correct (as per my site.website.com) but when I enable FULL/STRICT SSL through CloudFlare, the server goes down. The error on the site (through CloudFlare) comes up as follows:

“The web server is not returning a connection. As a result, the web page is not displaying.”

It seems the server is not setup for working on port 443/SSL/HTTPS and that’s why when CloudFlare demands a secured connection from server, the server is not able to respond to this explicit request and the request fails.

Can you advise a solution to manually configure/setup required files for configuring HTTPS/SSL like nginx.conf etc ?

TIA

[UPDATE]

I have set a Page Rule on CloudFlare to enforce HTTPS on my domain. When I disable this rule and set SSL to STRICT, the site works without any problems but on HTTP and the site doesn’t show HTTPS even when I manually enter https://sub.domain.com.

I thought this information is vital for your to be able to understand the real problem behind SSL issue.

So the objective is : Redirect the site to HTTPS and use CloudFlare STRICT SSL setting. Maybe we can configure our server to enforce https/ssl on ALL incoming connections and don’t use CloudFlare Page Rule to enforce HTTPS. It seems this will work. Please advise solution in this direction!

While testing further, I tried following command from terminal:

curl https://1.2.3.4 -v [where 1.2.3.4 is my site IP address, real IP not shown for privacy]

Above command returns following:

  • Rebuilt URL to: https://1.2.3.4/
  • Hostname was NOT found in DNS cache
  • Trying 1.2.3.4…
  • connect to 1.2.3.4 port 443 failed: Connection refused
  • Failed to connect to 1.2.3.4 port 443: Connection refused
  • Closing connection 0
    curl: (7) Failed to connect to 1.2.3.4 port 443: Connection refused

It shows, the server is not allowing connection on port 443. So there is some ERPNext config that needs to be changed which will enabled connections on port 443.

[SOLVED]

Despite following this guide, config for HTTPS was not getting loaded into nginx.conf. As I am unaware of the file structure, I thought the conf file is either /etc/nginx/nginx.conf OR /etc/nginx/sites-available/default, which is to be amended manually.

BUT, after struggling a bit, I found that the functional conf file for ERPNext resides here:
/home/frappe/frappe-bench/config/nginx.conf

So, I manually added another “server block” in the above file and added SSL parameters. Viola, now it works!

Now I have followings settings enabled on CloudFlare:

  • Page rule that enforces HTTPS on my site url
  • SSL settings under Crypto are set to STRICT

I hope this thread will help other members to solve this issue and also enable ERPNext developers to test this scenario to come up with a solution in upcoming updates!

Thanks to @komsel2228 @KanchanChauhan @ganas & @vjFaLk for participating in this discussion! Special thanks to @vjFaLk for extended support.

3 Likes