How to cancel SSL let's encryt and how to fix auto renewal

kothagunda · April 3, 2018, 6:18am

Hello
I have setup lets encrypt about 3 months back. I got a email that its about to expire. So i looked at the below link, and found the command to renew. (sudo bench renew-lets-encrypt).

“Setting up TLS SSL certificates Let’s Encrypt for ERPNext sites”

I have two questions

How do i remove lets encrypt ssl. So that i can access my site using http, if i have issues with renewals etc.
I also see that auto renewal is already setup in the crontab, but its not being auto renewed. Below is the crontab entry. What change do i have to do to get auto renewal working.

Pls let me know.

lasalesi · April 3, 2018, 6:27am

Hi @kothagunda,

if you want to be able to also access the page using https, you can disable enforcing https. To do this, open ./config/nginx.conf and comment out the following lines at the end:

# http to https redirect
    server {
        listen 80;
            server_name
                    intern.mages-uhren.ch
                    ;

        return 301 https://$host$request_uri;
    }

Add a “listen 80” block similar to the 443 except without the SSL configuration. Then, restart nginx and you should be able to access the server through either http or https.

What is the error message that you get on bench renew-lets-encrypt?

kothagunda · April 3, 2018, 7:26am

Thanks @lasalesi for the prompt response.

I was able to renew without issues using “sudo bench renew-lets-encrypt”

But i wanted to just find out what i need to do to disable https and use http if some failures happen. And why auto renewal is not working. So i asked the above questions.

For https and http to work simulatneously.
I undrstood, i have to comment out the listen 80. And then, Below is what i understood, pls correct me if i am wrong.

Add a new listen 80 block similar to below listen 443, right. And remove the lines 239 to 245 right.

228 server {
229 listen 443;
230 server_name
231 www.mysite.com
232 ;
233
234 root /home/frappe/frappe-bench/sites;
235
236
237
238
239 ssl on;
240 ssl_certificate
241 ssl_certificate_key
242 ssl_session_timeout
243 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
244 ssl_ciphers ";
245 ssl_prefer_server_ciphers on;
246
247
248 location /assets {
249 try_files $uri =404;
250 }
251
252 location ~ ^/protected/(.*) {
253 internal;
254 try_files /$site_name_easwheq/$1 =404;
255 }
.
.
.
.

Thanks.

lasalesi · April 3, 2018, 8:09am

Yes, line 229 should be listen 80; and remove 239 … 245 on the listen 80 block (but keep the listen 443 block as well). This will enable your server to listen on port 80 (http) and port 443 (https) without redirecting (forcing) https. Note this is not recommended but will address your request.

kothagunda · April 3, 2018, 8:55am

Thank you @lasalesi.

Just wondering why auto renewal is not working, though entry @month is present in crontab.

spa · April 3, 2018, 2:18pm

you can check cron with
in Ubuntu Debian

sudo service cron status

or other Linux

sudo service crond status

it gives you an output like this

frappe@erp2:~$ sudo service cron status
[sudo] password for frappe: 
● cron.service - Regular background program processing daemon
   Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: ena
   Active: active (running) since Tue 2018-04-03 03:11:56 CEST; 13h ago
 Docs: man:cron(8)
 Main PID: 419 (cron)
Tasks: 1 (limit: 4915)
   CGroup: /system.slice/cron.service
       └─419 /usr/sbin/cron -f

Apr 03 11:17:01 erp2 CRON[4048]: pam_unix(cron:session): session opened for user
Apr 03 11:17:01 erp2 CRON[4048]: pam_unix(cron:session): session closed for user
Apr 03 12:17:01 erp2 CRON[4303]: pam_unix(cron:session): session opened for user
Apr 03 13:03:01 erp2 CRON[4476]: pam_unix(cron:session): session opened for user
Apr 03 13:03:01 erp2 CRON[4477]: (root) CMD (   test -x /etc/cron.daily/populari
Apr 03 13:17:01 erp2 CRON[4555]: pam_unix(cron:session): session opened for user
Apr 03 14:17:01 erp2 CRON[4765]: pam_unix(cron:session): session opened for user
Apr 03 14:17:01 erp2 CRON[4766]: (root) CMD (   cd / && run-parts --report /etc/
Apr 03 15:17:01 erp2 CRON[4978]: pam_unix(cron:session): session opened for user
Apr 03 15:17:01 erp2 CRON[4979]: (root) CMD (   cd / && run-parts --report /etc/
Lines 1-19/19 (End)

kothagunda · April 4, 2018, 4:06pm

Thanks @spa
I checked the o/p its almost same as what you have posted.
But dont see renewal of lets-encrypt in logs.

wale · November 8, 2018, 9:50am

Hi @lasalesi

Trust you’re doing great. After renaming a site, I find that the http to https redirect doesn’t seem to be working. Typing just the site name in the browser leads to the ‘in-secure’ http address. I actually need to type the full url with https now!

I checked the nginx.conf file and everything seems right. I’ve used the bench setup nginx command a few times and reloaded the nginx server but still appears the same

Any ideas how to fix this?

Kind regards,

Julian_Robbins · November 8, 2018, 2:33pm

Check what’s going on in the nginx error log file

wale · November 8, 2018, 2:48pm

Hi @Julian_Robbins

Thanks for your suggestion. There’s no error in the log file!

Kind regards,

lasalesi · November 9, 2018, 9:16pm

Hi @wale,

do you have a section like this in your ./config/nginx.conf

# http to https redirect
    server {
            listen 80;
            server_name
                    example.erpnext.org
                    ;

            return 301 https://$host$request_uri;
    }

you can add this manually to force https…

Hope this helps

wale · November 10, 2018, 12:08pm

Hi @lasalesi @Julian_Robbins

Thanks for the suggestions. It turns out the issue was because I had previously used that domain as a custom (additional) domain before renaming the site and making it the primary domain. I took the following steps to fix the issue:

Removed the 'Domain' entry in the site_config.json file
bench setup nginx
sudo service nginx reload

It’s working fine now

Thanks!