I’ve got an ERPNext site that I need to be available over the internet. Currently the server ip resolves to my installation just fine as does http://domain.com. I’ve added my key and cert to the server and I created a config file “domain.com.conf” at /etc/nginx/conf.d .
My problem is that one of two things happens.
If I use
listen 443 ssl;
I get a 403 error
If I use
listen 443 ssl;
I get the default nginx page. My certs are available and working.
How exactly should I be doing this? Is there a certain file I should be adding my cert info to instead of the one I created? What should I be using as the root folder if the config file I created is the correct way of doing this.
I do not know which certificates you use.
In case of Lets encrypt you might want to look up this docs:
I am not sure why you created a new config file, there is already a config file linked in frappe-bench/config. You can set your SSL credentials in the Nginx conf file there.
I created a new config file because I could not find any documentation and because, in general, with the non ERPNext systems I am familiar with you add on a config file rather than changing something the system might change back.
That being said I tried your advice and updated the nginx.conf file. My results were the same as they were with the domain.com.conf file (default nginx page or a 403 error). In addition after making a few other changes to the system the nginx.conf file reverted back to its original form removing all my settings.
I am not using Lets Encrypt, this is a purchased certificate. The certificates is set up and work fine on the default nginx page with an A+ from the SSL Labs server test. The problem is I don’t know where I’m supposed to be adding all my SSL settings such as ciphers, protocols and keys. They work in the custom domain.com.conf file but I don’t know what the Document Root should be and end up with a 403 or default nginx page.
Thank you both for your tips.
The easiest way to do it is to let bench setup your nginx config files for you:
bench setup nginx will generate a new nginx config file using the domain and ssl information in your site_config.json file.
If you own the domain, the simpler way is to get an ssl certificate from letsencrypt, using the command sudo certbot --nginx
(you install certbot but using snap - in Ubuntu)
I guess you are falling in nginx config issue.
I also doing what you prefer as I just copied the default config generated by bench command and modified with my own setting. yes it can get A+ ranking form SSL Labs as well.
not sure how to help as it has limit info.
if happen in my own server, I will check (I using Fedora so may not the same as other distribution).
also log is your friend and almost hints can find, also journalctl -xe may help to trace the error.
I ended up just copying the frappe-bench.conf file as you suggested and made the appropriate changes. It works but I’m concerned it will fail at a later date.
I tried using bench and the json file for quite some time but it never worked and we cannot use Lets Encrypt though I appreciate the suggestions.
The site_config.json certainly seems like the way to go but I couldn’t get it to work (v13) and am honestly quite shocked at just how little documentation there is on using ssl since the vast majority of sites must be using it.
The duplicate config will have to work for now but I will keep looking for a less breakable way.
Did you try the instructions from my earlier post? They are super simple and don’t assume certbot/letencrypt. They should get site_config.json set up properly for you.
I think what @JDG concern, also what I have consider before is:
i. bench setup nginx
we would make change ourselves to handle nginx hardening, instead of using bench default setting.
however, we can’t sure, let said, if frappe/erpnext has release/update setting later in bench command, will it merge, overwrite or we need manually cross-check and applied it ourselves.
as famous in nginx, the link you provide is fair to change the ssl cert path. but not enough if we need to change to support such as TLS, http2, ciphers etc
but I agree Frappe/Erpnext hard to cater, such advance config should place back to client/customer control/consider
I did try your suggestion both from bench and by updating the json file directly with both pem and crt/key files and I could not get it to work. I will try to spin up a fresh install this weekend and give it one more try because I do like the idea of this method.
I was able to get the site_config.json method to work. I’m not sure what was causing the problems previously but on a fresh install everything went as expected.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.