Wildcard SSL via Lets-encrypt on multitenant sub-domain system (3-sites)

Install / Update Security
1

Good day

Trust you are all well

I have completed the following–

1.Multitenant system using sub-domains (DNS) : check
2.Multitenant system using sub-domains (DNS) with SSL certs for individual sites : check
3.Multitenant system using sub-domains (DNS) with wild-card SSL : still to be done.

I initially had a problem with (2) but got a work-around - ( post listed below)

For me to do (3) I have been reading up about it.

Found a few posts –

with both of them leaving me a bit confused.

Then I found this post–

In this post they say–

By default, the bench requests certbot to generate the certificate for the wildcard domain as well as for the base domain. Thus the Certbot shares two text reccords. You have to add two DNS text records.

You can escape base domain, while generating SSL certificate, using --exclude-base-domain eg:

Finally I get to my question–
Not clear to me if I must or must not include the base-domain.
To my thinking, I must just do the wild-card domain… therefor I must use the
–exclude-base-domain switch …? No?

2

No.
It depends on how you want to setup your dns record for your domain

3

Good day @spryng

Thank you for the response

I do have full control over the DNS records for this domain at the service provider.

It is currently setup as follows-

DNS records for mydomain.com

name1 1800 A 10.11.12.13
name2 1800 A 10.11.12.13
name3 1800 A 10.11.12.13
. . . .1800 A 10.11.12.13
www 1800 cname mydomain.com

Server IP address = 10.11.12.13

When creating my sites I did the following-

bench new-site --site name1.site…
bench setup add-domain --site name1.site name1.mydomain.com

The other sites were the same. Just substitute name1 for name2 and name3.
Would this be correct?

4

Yes.
enter the cert paths into site_config.json (for single domain) or common_site_config.json (for wildcard)

5

Thank you @spryng

I did the following-

Installed certbot—

sudo apt-get remove certbot
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Got the certificates-
sudo certbot certonly --manual

Then loaded the TXT entry into my DNS records

Certificate files were saved in …/etc/letsencrypt/live/…

then I ran ----
bench setup nginx

and got the following error—

nginx.conf already exists and this will overwrite it. Do you want to continue? [y/N]: y
Traceback (most recent call last):
File “/usr/local/bin/bench”, line 11, in
load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
File “/home/erpnextjohn/.bench/bench/cli.py”, line 41, in cli
bench_command()
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 764, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 717, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python3.6/dist-packages/click/core.py”, line 555, in invoke
return callback(*args, **kwargs)
File “/home/erpnextjohn/.bench/bench/commands/setup.py”, line 29, in setup_nginx
make_nginx_conf(bench_path=“.”, yes=yes)
File “/home/erpnextjohn/.bench/bench/config/nginx.py”, line 29, in make_nginx_conf
config = get_config(bench_path)
File “/home/erpnextjohn/.bench/bench/config/common_site_config.py”, line 32, in get_config
return get_common_site_config(bench_path)
File “/home/erpnextjohn/.bench/bench/config/common_site_config.py”, line 39, in get_common_site_config
return json.load(f)
File “/usr/lib/python3.6/json/init.py”, line 299, in load
parse_constant=parse_constant, object_pairs_hook=object_pairs_hook, **kw)
File “/usr/lib/python3.6/json/init.py”, line 354, in loads
return _default_decoder.decode(s)
File “/usr/lib/python3.6/json/decoder.py”, line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File “/usr/lib/python3.6/json/decoder.py”, line 355, in raw_decode
obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Expecting ‘,’ delimiter: line 18 column 2 (char 496)

6

Please don’t run bench setup nginx yet (this will remove the cert path from nginx.conf)

  1. Check in the nginx.conf and see if the certs has been applied correctly

  2. Enter the cert paths into site_config.json (for single domain) or common_site_config.json (for wildcard)
    For wildcard in your common_site_config.json
    “wildcard”: {
    “domain”: “*.example.com”,
    “ssl_certificate”: “/etc/letsencrypt/live/example.com/fullchain.pem”,
    “ssl_certificate_key”: “/etc/letsencrypt/live/example.com/privkey.pem”
    }

  3. Run bench setup nginx

7

Thank you @spryng

Do I add the –

inside the existing { } brackets of the common_site_config.json file or outside it, just below
the iexisting { } entries ?

8

Just below existing entries
Then
bench setup nginx
(You can also if need be do
sudo service nginx reload
sudo supervisorctl restart all etc…)

9

I thank you for your patience @spryng. It is working fine.

I would like to write down what I have done/learnt during the past few days about
SSL and multi-tenant sub-domain system----

Installation:
I followed manual installation method and when it came to the final stages I did this-

bench new-site name1.site --admin-password ------------------
bench --site name1.site enable-scheduler
bench --site name1.site install-app erpnext
bench start
sudo bench setup production erpnextuser
sudo supervisorctl stop all
sudo supervisorctl start all
bench config dns_multitenant on
bench setup add-domain --site name1.site name1.mydomain.com
bench setup nginx
bench setup reload-nginx

bench new-site name2.site --admin-password ----------
bench --site name2.site enable-scheduler
bench --site name2.site install-app erpnext
bench setup add-domain --site name2.site name2.mydomain.com
bench setup nginx
bench setup reload-nginx

Now for the SSL-certs

Installed certbot–

sudo apt-get remove certbot
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Now two posibilites : each subdomain has its own SSL or to use wildcard–
For each sub-domain having its own cert----
sudo certbot --nginx ( select required site from list) ( repeat for each site )

I think one can also do – (???)
sudo certbot --nginx -d site1 -d site2 …etc

For wildcard certbot SSL ------

sudo certbot certonly --manual

Answer a few questions. Certbot gives a “TXT” record that must be entered on your
domain DNS records.

To check when the TXT record has propogated prpoperky use-
dig -t txt _acme-challenge.mydomain.com

sudo certbot certificates ( to show certs)

After completion the location of the certs are given and I then edited my
common_site_config.json file ( /erpnext/config ) to add the “wildcard” section

It now looks like this–

{
“auto_update”: false,
“background_workers”: 1,
“dns_multitenant”: true,
“file_watcher_port”: 6787,
“frappe_user”: “frappe-user”,
“gunicorn_workers”: 2,
“rebase_on_pull”: false,
“redis_cache”: “redis://localhost:13000”,
“redis_queue”: “redis://localhost:11000”,
“redis_socketio”: “redis://localhost:12000”,
“restart_supervisor_on_update”: true,
“restart_systemd_on_update”: false,
“serve_default_site”: true,
“shallow_clone”: true,
“socketio_port”: 9000,
“webserver_port”: 8000,
“wildcard”: {
“domain”: “*.mydomain.com”,
“ssl_certificate”: “/etc/letsencrypt/live/mydomain.com/fullchain.pem”,
“ssl_certificate_key”: “/etc/letsencrypt/live/mydomain.com/privkey.pem”
}
}

then –
bench setup nginx
sudo service nginx reload

clear cache on browser

1 Like