Try ERPNext Buy Support Partners Foundation

How to use LetsEncrypt wildcard in multitenant

I successfully created single certs for the first site and its add-on domain. Each had own cert and bench wrote them in the site_config.json correctly.
The nginx.conf also seems correct because I then could access the site with https (both domains). The certs created are

  Certificate Name: site.com
    Domains: site.com
    Certificate Path: /etc/letsencrypt/live/site.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/site.com/privkey.pem
  Certificate Name: www.site.com
    Domains: www.site.com
    Certificate Path: /etc/letsencrypt/live/www.site.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.site.com/privkey.pem

Then, since this going to be a multi-site, I was trying to setup the LE wildcard ssl to be used with multitenant.
I managed to create a wildcard cert and I have certs with site.com-0001 in its name.

Certificate Name: site.com-0001
Domains: *.site.com
    Certificate Path: /etc/letsencrypt/live/site.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/site.com-0001/privkey.pem

along with the single domain (site.com) and subdomain (www.site.com) certs.

The process with setting up ssl and nginx successfully listed the domain site.com with the site.com-0001 cert.
But it can’t be accessed.
I changed it back to use the site.com cert and it can be accessed again.
I use the 0001 cert with www.site.com also fail.

I tried to find the docs to setup wildcard ssl with multitenant but can’t find one.
Can somebody show me the right direction in setting up this?

Thank you.

1 Like

I’m also interested in this. Can’t seem to find any documentation on setting this up at all!

Kind regards,

Okay, found the guide here:

Apparently, the old links are broken

Cheers

Thanks @wale for finding the docs.

By default, the bench requests certbot to generate the certificate for the wildcard domain as well as for the base domain.

This seems the problem of my installation, since I generate the wildcard ssl directly with certbot so no base domain cert is generated.

EDIT:
After trying the bench command on the server, this is what happened:

  • I can generate the wildcard ssl I can see from the name that is *.site.com,
  • it does update common_site_config.json to put the certs there,
  • but not updating site_config.json (as the single cert would),
  • and somehow it doesn’t update nginx.conf (maybe because bench setup get parameters from site_config but not from common_site_config?)

And during the cert generation:

  • it doesn’t ask for ownership verification.

  • but I thought this maybe because I already has TXT with _acme-challenge from my previous cert genaration (for single domian).

  • so I delete the TXT from my domain DNS. and try again.

  • the same happen, no ownership verification asked.

  • and certbot also doesn’t generate cert for the base domain (which is site.com)

And I still can’t access my site using https.

EDIT 2:

  • so I just ignore the TXT verification. I will add it later if acme-challenge complain about it :smiley:
  • I add the ssl_certificate and ssl_certificate_key into site_config.json.
  • now I can access my site with https://site.com
  • adding custom domain www.site.com, after do bench add-domain update the domains parameter in the site_config.json can be accessed without adding ssl info under domains parameter.
  • in nginx.conf, the custom domain has its own listen 443 ssl.

Another problem:

  • create new site with bench new-site.
  • nginx setup list this new site under the first site in server blocks in listen 443 ssl
server {
	listen 443 ssl;
	server_name
		www.site.com
		ww2.site.com
		;
  • but I can’t access this new domain with http or https.
  • add the ssl parameters to the site2 site_config.json, bench setup nginx, reload nginx… still can’t access the site.
  • in the nginx.conf the site2 is listed separately under its own listen 443 ssl.

Sorry for this long post. But I hope this can be a reference to anyone new in setting up LE’s wildcard ssl.
So up to now I still can’t access multi site with wildcard ssl.

I just come to think that the problem is in my install of bench that doesn’t serve multitenant (it is on I verified).
My last try: use single ssl for each site or maybe without ssl. If I can’t access then it’s my install of bench is the problem :slight_smile:

Take a look at this, hope it helps.

1 Like

Hi @rahy

Once you’re sure that your install is on dns based multitenancy, I don’t think you should have any issues

  • Yes, the references to the certs are correctly placed in the common_site_config file and not site_config
  • If you went through the link I shared carefully, you’d notice there’s a flag if you want to exclude the base domain, else, both certificates would be requested

In your case, since you already had certificates for “domain.com” , you should have excluded the base domain

Also, the wildcard certificate works for subdomains which is why it’s depicted as “*.domain.com” …this means that your new site must have a name like 'site2.domain.com" for the wildcard certificate to be applied to it

You may also need to update and reload Nginx after making any changes:

bench setup nginx
sudo service nginx reload

Cheers

1 Like

Yes thank you @wale
I had managed to generate and install the wildcard cert on my domain.

1 Like