If i have the following senario would this still work:
I have a local Server connected to internet connection having a static ip.
I have a domain in cloud (domain.co.za)
I have other A records like pop.domain.co.za . . . , but also one portal.domain.co.za referencing my local static ip.
I can access my ERPNext server using portal.domain.co.za, but would like to know would it be possible to install Lets Encrypt on such a setup?
I see Prequisites:
1. You need to have a DNS Multitenant Setup - (This OK)
2. Your site should be accessible via a valid domain - (NOT Sure)
3. You need root permissions on your server - (This OK)
if your server is hosted in a vps and you have set up ip address to direct to domain.com via changing the server names then this is possible.
am using lets encrypt and works great for me… I have a vps then installed erpnext,change serveName to direct to the domain.com and was able to set up lets encrypt via…
Installed on Digital Ocean VPS (CentOS7).
Added frappe user to wheel
renamed site to erp.mysite.com
Created A record on my domains DNS pointing to DO Public IP (works).
Here I add my output from:
sudo bench setup lets-encrypt erp.mydomain.com (my site name is the same)
File “/usr/lib/python2.7/site-packages/virtualenv.py”, line 796, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pip wheel failed with error code 1
INFO:bench.utils:sudo systemctl start nginx There was a problem trying to setup SSL for your site
You may have issue of python3 vs python2.7. ERPNext still uses python2.7 certbot version while python3 for v12. You will need to install python3-certbot and then run the commands manually.
Instead I suggest use the DNS challenge method. It is easier and you dont need to update nginx.conf each time.
First install certbot manually for your OS as per instructions at certbott.eff.org. Summarized: sudo add-apt-repository ppa:certbot/certbot sudo apt update sudo apt-get install certbot
Now run the certbot command. You can use wildcard * for all subdomains and including www or specify a specific subdomain:
sudo certbot -d *.domain.com --manual --preferred-challenges dns certonly
You will be asked to install a DNS of type TXT record for your domain. The host will be _acme_challenge.sub.domain.com with a value that is a long key… for example FXbTE0_wG7LxIVmhcD_5wIMDuwH0XGvirPTaR7Z6QFc
If your registrar permits - set the propogation time for 1 minute. After 1 minute continue to hit enter on your server and the certificates (.pem files) will be installed to the default location as I recall /etc/letsencrypt/live/sub.domain.com/. You can then ensure that the /frappe-bench/config/nginx.conf file points to the same certificates for your site…
I was messing with LetsEncrypt a few days ago and realized that with cloudflare it may be possible to avoid it all together.
I wrote about it here:
I haven’t actually tried it on my own site, but from cloudflare’s settings it certainly seems as though you can expose your site as plain http but inaccessible except through the https “surface” cloudflare provides.
I don’t know how to do it, but a sys admin in my office once did something like that in cloudflare. He only installed one SSL and updated a configuration in Cloudflare for other additional sites, instead of updating the nginx.
All sites are accessible as https.
If I am not wrong you can also ensure that the public side of CloudFlare is served only in IPv6, such that remote attackers are left with really no way find your site at all.
You can then set your firewall to accept port 80 (HTTP) connections only from your internal equipment and from the back side of CloudFlare.
It is possible that all content distribution networks (CDNs) offer such service. I have not looked.
I mention this only because it offers a way for ERPNext newbies quickly to get up and live on the web with one less hassle to be concerned about.
(ahem, no. I am not connected to CloudFlare in any way)
