ERPNext SSL / HTTPS config not working with nginx

ERPNext
1

Hi there!

I’ve successfully installed erpNext using bench on Ubuntu - all fine so far, http (port 80) is running smoothly.

Now I’d like to secure the instance with HTTPS.
→ created certificates, set common name to correct domain, signed, etc … all good.
→ created ssl config file for nginx, reloading, no complaints.

=> Problem: when attempting to access the site via https, i get “ERR_CONNECTION_REFUSED” in Chrome and the error.log and access.log in /var/log/nginx/ remain unchanged as if no attempt to connect was made.

Here are my configs:

/etc/nginx/conf.d/frappe.conf:

server_names_hash_bucket_size 64;

upstream frappe {
    server 127.0.0.1:8000 fail_timeout=0;
}

upstream socketio-server {
    server 127.0.0.1:3000 fail_timeout=0;
}

server {
            listen 80  default ;
            client_max_body_size 4G;
            # server_name frappe_default_site;
            server_name my-custom-domain.com;

            keepalive_timeout 5;
            sendfile on;
            root /home/ubuntu/frappe-bench/sites;

            location /assets {
                    try_files $uri =404;
            }

            location ~ ^/protected/(.*) {
                    internal;
                    try_files /site1.local/$1 =404;
            }

            location /socket.io {
                    proxy_pass http://socketio-server;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header X-Frappe-Site-Name site1.local;
                    proxy_set_header Origin $scheme://$http_host;
                    proxy_set_header Host $host;
            }

            location / {
                    try_files /site1.local/public/$uri @magic;
            }

            location @magic {
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header X-Frappe-Site-Name site1.local;
                    proxy_set_header Host $host;
                    proxy_set_header X-Use-X-Accel-Redirect True;
                    proxy_read_timeout 120;
                    proxy_redirect off;
                    proxy_pass  http://frappe;
            }
    }

/etc/nginx/conf.d/frappe-ssl.conf:

server {
            listen 433 ssl;
            client_max_body_size 4G;
            # server_name frappe_default_site;
            server_name my-custom-domain.com;

            ssl on;
            ssl_certificate  /etc/nginx/ssl/ssl.crt;
            ssl_certificate_key  /etc/nginx/ssl/ssl.key;

            ssl_session_timeout  5m;

            ssl_protocols  SSLv3 TLSv1;
            ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
            ssl_prefer_server_ciphers   on;

            keepalive_timeout 5;
            sendfile on;
            root /home/ubuntu/frappe-bench/sites;

            location /assets {
                    try_files $uri =404;
            }

            location ~ ^/protected/(.*) {
                    internal;
                    try_files /site1.local/$1 =404;
            }

            location /socket.io {
                    proxy_pass http://socketio-server;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_set_header X-Frappe-Site-Name site1.local;
                    proxy_set_header Origin $scheme://$http_host;
                    proxy_set_header Host $host;
            }

            location / {
                    try_files /site1.local/public/$uri @magic;
            }

            location @magic {
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                                            proxy_set_header X-Frappe-Site-Name site1.local;
                                            proxy_set_header Host $host;
                    proxy_set_header X-Use-X-Accel-Redirect True;
                    proxy_read_timeout 120;
                    proxy_redirect off;
                    proxy_pass  http://frappe;
            }
    }

When I change frappe-ssl.conf to

            location /socket.io {
                    proxy_pass https://socketio-server;
                    ....
            }

            ....

            location @magic {
            ....
                    proxy_pass  https://frappe;
            }

i receive

nginx: [emerg] host not found in upstream “socketio-server” in /etc/nginx/conf.d/frappe-ssl.conf:32

When i add the upstream statements from frappe.conf to frappe-ssl.conf as well, i get

nginx: [emerg] duplicate upstream “frappe” in /etc/nginx/conf.d/frappe.conf:4

so that also doesn’t seem to get me anywhere

All is running in an AMS EC2 and the security group is configured to let ports 22, 80 and 443 through from anywhere. Since it runs smoothly without the ssl I guess the ports 8000 and 3000 are not meant to be accessible from outside anyways.

Seem like i can’t see the wood for the trees.

Any advice is greatly appreciated!

Cheers
Fabian

2

Hi Fabian,

You need not configure frappe-ssl.conf.

Set ssl_certificate and ssl_certificate_key in site_config.json of the sites where you want SSL and run bench setup nginx to generate SSL config within config/nginx.conf and then run sudo service nginx reload

See: Home · frappe/bench Wiki · GitHub

2 Likes
3

Hi @anand

Followed the process but still does not work, not sure if im missing any other commands cause in the past we used to run
bench set-ssl-certificate site /etc/letsencrypt/live/site/fullchain.pem

and it used to created entries in the nginx with ssl related lines.

I followed the stepped 3 times and each time getting the same error:
An error occurred during a connection to www.varmani.co.za. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

any feedback appreciated

regards
Hemant

4

Hi @anand

I think the “bench setup nginx” command is missing to add these lines into the config file:

ssl on;
ssl_certificate /etc/letsencrypt/live/site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site/privkey.pem;

I added this to my config and all is well again :wink:

For others who might have issues, just need to update where your certs are sitting and update the config file manually for now. Can we update the bench setup command with this, or is there another way to get the ssl to work?

regards
Hemant

1 Like
5

Hi!

The solution that you found (to manually edit the nginx.conf file) could be avoided in first place by turning on dns multitenant mode with the following command: bench config dns_multitenant on.

The documentation in this link says that dns multitenant mode is on by default, but we discovered that this isn’t true. After running that command, then bench config nginx would work as expected: adding several ssl related params (even port 80 redirection!).

6

perfect, works now better, thanks @fergarcia

7

Iam trying to apply ssl throgh this steps here

https://github.com/frappe/erpnext/wiki/Setting-up-TLS-SSL-certificates-Let%27s-Encrypt-for-ERPNext-sites

but getting the following error

    sudo bench setup lets-encrypt erpnext.vm
    The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    An unexpected error occurred:
    The request message was malformed :: Error creating new authz :: Name does not end in a public suffix
    Please see the logfiles in /var/log/letsencrypt for more details.
    INFO:bench.utils:sudo service nginx start 
    There was a problem trying to setup SSL for your site

any clear steps for installing ssl/https on my local machine?

8

You’ve said to gets SSL certificates for the domain ERPNext.vm

You need s real host and domain name here as you can’t get a certificate for ERPNext.vm as it’s not a proper domain

9

Why not follow the trail of clues!?

“Please see the logfiles in /var/log/letsencrypt for more details.”

10

can’t open the logfiles in /var/log/letsencrypt . … gaves me an error. any way thanks for replays I solved my issue through post and updated the nginx.conf

but one more issue need to redirect all http request to https … i’ve tried with this line into nginx.conf
but not wokring?!!
return 301 https://$server_name$request_uri;

11

‘sudo /var/log/letsencrypt’ might work?

As for
return 301 https://$server_name$request_uri;

Try two server blocks?

My nginx,conf has :

server {
listen 443;
server_name
domain.com
;

    root /home/frappe/frappe-bench/sites;

[snip]
}

    server {
        listen 80;
            server_name
                    domain.com
                    ;

        return 301 https://$host$request_uri;
    }