ERPNext.com Frappe Cloud Support Partners Foundation Frappe School

How to use LetsEncrypt wildcard in multitenant

I successfully created single certs for the first site and its add-on domain. Each had own cert and bench wrote them in the site_config.json correctly.
The nginx.conf also seems correct because I then could access the site with https (both domains). The certs created are

  Certificate Name: site.com
    Domains: site.com
    Certificate Path: /etc/letsencrypt/live/site.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/site.com/privkey.pem
  Certificate Name: www.site.com
    Domains: www.site.com
    Certificate Path: /etc/letsencrypt/live/www.site.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.site.com/privkey.pem

Then, since this going to be a multi-site, I was trying to setup the LE wildcard ssl to be used with multitenant.
I managed to create a wildcard cert and I have certs with site.com-0001 in its name.

Certificate Name: site.com-0001
Domains: *.site.com
    Certificate Path: /etc/letsencrypt/live/site.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/site.com-0001/privkey.pem

along with the single domain (site.com) and subdomain (www.site.com) certs.

The process with setting up ssl and nginx successfully listed the domain site.com with the site.com-0001 cert.
But it can’t be accessed.
I changed it back to use the site.com cert and it can be accessed again.
I use the 0001 cert with www.site.com also fail.

I tried to find the docs to setup wildcard ssl with multitenant but can’t find one.
Can somebody show me the right direction in setting up this?

Thank you.

1 Like

I’m also interested in this. Can’t seem to find any documentation on setting this up at all!

Kind regards,

Okay, found the guide here:

Apparently, the old links are broken

Cheers

Thanks @wale for finding the docs.

By default, the bench requests certbot to generate the certificate for the wildcard domain as well as for the base domain.

This seems the problem of my installation, since I generate the wildcard ssl directly with certbot so no base domain cert is generated.

EDIT:
After trying the bench command on the server, this is what happened:

  • I can generate the wildcard ssl I can see from the name that is *.site.com,
  • it does update common_site_config.json to put the certs there,
  • but not updating site_config.json (as the single cert would),
  • and somehow it doesn’t update nginx.conf (maybe because bench setup get parameters from site_config but not from common_site_config?)

And during the cert generation:

  • it doesn’t ask for ownership verification.

  • but I thought this maybe because I already has TXT with _acme-challenge from my previous cert genaration (for single domian).

  • so I delete the TXT from my domain DNS. and try again.

  • the same happen, no ownership verification asked.

  • and certbot also doesn’t generate cert for the base domain (which is site.com)

And I still can’t access my site using https.

EDIT 2:

  • so I just ignore the TXT verification. I will add it later if acme-challenge complain about it :smiley:
  • I add the ssl_certificate and ssl_certificate_key into site_config.json.
  • now I can access my site with https://site.com
  • adding custom domain www.site.com, after do bench add-domain update the domains parameter in the site_config.json can be accessed without adding ssl info under domains parameter.
  • in nginx.conf, the custom domain has its own listen 443 ssl.

Another problem:

  • create new site with bench new-site.
  • nginx setup list this new site under the first site in server blocks in listen 443 ssl
server {
	listen 443 ssl;
	server_name
		www.site.com
		ww2.site.com
		;
  • but I can’t access this new domain with http or https.
  • add the ssl parameters to the site2 site_config.json, bench setup nginx, reload nginx… still can’t access the site.
  • in the nginx.conf the site2 is listed separately under its own listen 443 ssl.

Sorry for this long post. But I hope this can be a reference to anyone new in setting up LE’s wildcard ssl.
So up to now I still can’t access multi site with wildcard ssl.

I just come to think that the problem is in my install of bench that doesn’t serve multitenant (it is on I verified).
My last try: use single ssl for each site or maybe without ssl. If I can’t access then it’s my install of bench is the problem :slight_smile:

1 Like

Take a look at this, hope it helps.

1 Like

Hi @rahy

Once you’re sure that your install is on dns based multitenancy, I don’t think you should have any issues

  • Yes, the references to the certs are correctly placed in the common_site_config file and not site_config
  • If you went through the link I shared carefully, you’d notice there’s a flag if you want to exclude the base domain, else, both certificates would be requested

In your case, since you already had certificates for “domain.com” , you should have excluded the base domain

Also, the wildcard certificate works for subdomains which is why it’s depicted as “*.domain.com” …this means that your new site must have a name like 'site2.domain.com" for the wildcard certificate to be applied to it

You may also need to update and reload Nginx after making any changes:

bench setup nginx
sudo service nginx reload

Cheers

2 Likes

Yes thank you @wale
I had managed to generate and install the wildcard cert on my domain.

1 Like

Not sure how optimal this is but it’s working well for me

  1. I enabled wildcard ssl my domain using this guide

  2. then setup all the sites at once with

    sudo certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d *.my.domain

@adam26d

  1. I think you don’t need to do the steps in the guide. Just do your number 2 step would create the certs (provided that you have certbot installed already).

  2. So your common_site_config.json doesn’t have the entry for wildcard?

"wildcard": {
  "domain": "*.my.domain",
  "ssl_certificate": "/etc/letsencrypt/live/my.domain/fullchain.pem",
  "ssl_certificate_key": "/etc/letsencrypt/live/my.domain/privkey.pem"
 }

When you run bench setup nginx, it will remove the 443 block from nginx.conf, doesn’t it?

1 Like

precisely, thank you for simplifying it for me

Actually, this is a good solution yet annoying.
Running the command sudo certbot --nginx will create the certs and update the nginx.conf so the site can be accessed securely.

But, it doesn’t write the site_config.json with the ssl entry.
So the next time you run bench setup nginx will wipe the ssl entry from the nginx.conf. And your site is back to unsecured.

So I have a suggestion to the frappe bench team:
Rewrite the bench setup lets-encrypt and bench setup wildcard-ssl. Their use to create the ssl has been broken by the deprecation of certbot-auto anyway.
Repurpose these command to, instead of taking the ssl path from site_config.json and update nginx.conf, now make them take the path from nginx.conf and write it to the site_config.json and common_site_config.json (in case of wildcard).

This way we can create the certs with sudo certbot --nginx
and place it in the site_config.json with bench setup lets-encrypt.
Then running bench setup nginx will not ruin anything.

1 Like

Hello

  1. So I changed my common_site_config.json to include the wildcard cert
  2. Running bench setup nginx messes up my nginx.conf such that my sites give this error below

image
3. Normally this way to fix this error is to run certbot but we’ve already got a certificate.

Anyone encountered this and permanently resolved it?

Certbot will reinstall the certificate. You can safely run it.

Can’t predict anything without seeing the configuration.
Did you try sudo nginx -t?

One if the purpose of bench setup lets-encrypt and bench setup wildcard-ssl command is to take the path of the ssl (created by certbot-auto inherent in these vommands) and put it in the site_config.json and/or common_site_config.json.

And one of the purpose of bench setup nginx is to take the path from the configs and put it in the nginx.conf.

Then the site can be accessed with ssl.

But since the deprecation of certbot-auto, the process doesn’t work anymore.

Using certbot (from snapd) creates the certs and write the path to nginx.conf. Nothing to the site config files.
So the bench setup nginx thinks the sites don’t have certs and remove the entries from nginx.conf. And put the domain in the 80 servers.

Hence my suggestion to change the commands purpose :slight_smile:

Have you checked if the entry is correctly written?
It is a list without the ssl entry. But change to dict with the ssl entries.

I did, I had to run certbot again to fix this.

sudo certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d *.my.domain

I’m not yet used to using certbot with frappe. When not using a wildcard, for example, running certbot --nginx -d a.sub.domain will install a cert but all other sites in the bench get disturbed. So I have to run certbot for all sites everytime.

Thank you for checking Rahy! If you have any insights, please do share.

I found this docs to include the ssl in the site_config.json. https://frappeframework.com/docs/user/en/bench/guides/configuring-https#setup-nginx-config

But it can’t be used for a site that is not using domain as its name, e.g site1.local (with domain e.g site1.com) because the bench command put the ssl path outside the domains entry:

"domains": [
  "site1.com"
],
 "ssl_certificate": "/etc/letsencrypt/live/site1.com/certificate.crt",
 "ssl_certificate_key": "/etc/letsencrypt/live/site1.com/private.key"

So an option to the command to put the ssl in the domains would be great.

You can add multiple domains in a single command.
Eg: certbot --nginx -d a.sub.domain -d b.sub.domain -d unrelated.domain -d abc.comx

Pro Tip: Use CTRL+R on the terminal to find the last run certbot command and just add the new domain to it and run.