Only one SSL certificate per bench instance

Vesper_Solutions · June 13, 2021, 11:56pm

Hi, I have a live server running on a vps on production mode with frappe v13. I have dns multi tenant configured and I have multiple sites pointing to multiple domains. My issue is that when I install certbot for a site domain, the ssl certificates for other site domains stop working. let’s say I install an ssl for www.abc.com, the moment that goes through the ssl for all other sites stop working. This guide doesnt work for me: Setting up SSL certificates from Let's Encrypt for sites · frappe/bench Wiki · GitHub
Anyone who has worked with certbot or knows how to work its kinks, any help is appreciated.

Joseph_Marie_Alba1 · June 14, 2021, 12:13am

Rename the directory of the site to the domain name using mv. mv site1.local www.abc.com

Vesper_Solutions · June 14, 2021, 12:20am

So if my site name is abc.local, I rename the site directory to mv abc.local www.abc.com?

Joseph_Marie_Alba1 · June 14, 2021, 12:22am

Yes. Correct. This way you do not have to mess with the /etc/hosts

Vesper_Solutions · June 14, 2021, 12:26am

Still not working, my exact sitename is ags.v1, my domain is ags.vertexrt.com.au. So I renamed the site directory as mv ags.v1 ags.vertexrt.com.au Still doesnt work

rahy · June 14, 2021, 12:35am

Have you checked that in each site has its own ssl path in its site_config.json?
And no ssl path in common_site_config.json.
I’m not an expert but maybe this can help.

Vesper_Solutions · June 14, 2021, 12:40am

Nope neither site has it nor does the common_site_config file, basically I completely disregarded the frappe let’s encrypt guide. Instead I followed the certbot guide for ubuntu servers. I’ve never tried using it for multiple sites so this is the first time i’m facing this issue

rahy · June 14, 2021, 1:08am

Well… maybe you can add the cert to each site_config accordingly.

 "ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
 "ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"

I use the common_site_config for wildcard ssl.

 "wildcard": {
  "domain": "domainname.com",
  "ssl_certificate": "/etc/letsencrypt/live/domainname.com/fullchain.pem",
  "ssl_certificate_key": "/etc/letsencrypt/live/domainname.com/privkey.pem"
 }

If you use bench setup add-domain because your site name is different than the domain name, you can add to the command:

  --ssl-certificate TEXT      Absolute path to SSL Certificate
  --ssl-certificate-key TEXT  Absolute path to SSL Certificate Key

Vesper_Solutions · June 14, 2021, 2:51am

Tried adding the certificates alongside path to both the site_config and/or the common_site_config. Did not do the trick

rahy · June 14, 2021, 3:26am

bench setup nginx and bench setup reload-nginx ?

Joseph_Marie_Alba1 · June 14, 2021, 10:33am

Sorry, I did not ask -
Are you installing SSL using lets-encrypt certbot?

Vesper_Solutions · June 14, 2021, 7:07pm

Did that

Vesper_Solutions · June 14, 2021, 7:08pm

I followed this : 404 Not Found | Certbot

rahy · June 14, 2021, 7:21pm

I’m not an expert in server and ssl so I run out of ideas.
I guess it’s the multi domain that cause the ssl not running.

My setup is multi tenants with single domain with ssl for each subdomain (each site_config.json has its entry for ssl).
My other setup is multi tenants with single domain and using wildcard for all subdomain (no ssl entry in site_config, but one entry in common_site_config.json)
I also have a site with multi subdomain (added via bench setup add-domain) and ssl for each subdomain.

The same as you I set the ssl following that certbot web page (but I use CentOS).

Maybe you can check the nginx.conf to see how the ssl is assigned to each domain.

Vesper_Solutions · June 14, 2021, 7:39pm

Yeap I added the domain using:

bench setup add-domain www.abc.com --site sitename.local

Then bench setup nginx and setup reload-nginx

and then I followed the certbot guide for ubuntu, which works perfectly for a single domain or a sub domain

rahy · June 14, 2021, 7:53pm

I think you have to bench setup nginx and reload after adding the cert to site_config.json (but I’m not sure).

Vesper_Solutions · June 14, 2021, 7:55pm

I’ll try

Vesper_Solutions · June 14, 2021, 8:57pm

Okay so the wildcard method does nothing. With each site’s site_config, I pasted the pathways with the appropriate directories as shown and when I run bench setup nginx, it says site_config has errors

EDIT: There was a missing coma at the end of the second line of the ssl path. Now a new issue arises, bench setup nginx works fine but sudo service nginx reload says nginx failed to restart, when i remove the ssl pathways from the site_config.json, sudo service nginx reload works

rahy · June 15, 2021, 5:07am

Check the path, name and availability of the certs in /etc/letsencrypt/.
Mismatch between the cert in nginx.conf, site_config.json and the actual cert in that directory had caused me same problem.
I think I posted a reply about this problem. Let me try to find it

EDIT: found it NGINX Stopped after renew the SSL - #3 by rahy

bkm · June 15, 2021, 1:12pm

Okay, the syntax there is incorrect.

According to the official bench command guide, it should be:

bench setup add-domain --site site1.local [your.domain.here]

bench setup nginx

sudo service nginx reload

And when it comes the certbot guide, I have not found any that work as well as the use of snapd to handle all of the complicated settings so I don’t have to deal with them. Here is the short version of using snapd to install certbot and get your ssl certificate:

First we need to make sure that ‘certbot’ is not already installed, so we will attempt to remove it just in case
sudo apt-get remove certbot
Now we are going to install the package bundle provider and make sure it is all up-to-date with the latest release of ‘snapd’ and let it handle the certbot for us
sudo apt install snapd
sudo snap install core
sudo snap refresh core
Now we use ‘snap’ service to automatically install and configure certbot to work perfectly with your new ERPNext server
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Now we can safely use the pre-configured certbot to install your SSL certificate
sudo certbot --nginx

(The system will pause at some point and ask you to select the site name you wish to install the certificate from a list of names it found. Be sure to select the URL you used and not ‘site1.local’ at this point)
Be patient. This process looks like it is not doing anything sometimes for as long as 60 to 90 seconds, but it is actually working in the background. It will respond with questions you need to answer.

One more thing to note…
If you have multiple URL’s pointing to the same site (site1.local) then you will see in the list of sites to select from all of those URL’s plus the site1.local. Run the “sudo certbot --nginx” command multiple times to get certificates for each of the URL’s in your list. Just select a different one each time you run the command. (Don’t select site1.local as it is not a valid URL) I have this scenarios running on several servers right now so I know it works.

Now the next logical question is: “Will this woirk on my system now that I have been messing with all of the files and settings?”

The answer is that I do not know. I use the above set of instructions with all of my new installs and I never try any of the complicated methods you find in google searches or here on the form. I only use the snapd method now.

I never rename the bench or the site1.local directory. The bench commands I use and the snapd certbot method take all of that into consideration for me and work flawlessly for my new installs.

Hope this helps… Trying to figure out all of the syntax for certbot and how to edit all the right files is problematic. The snapd method above avoids all of that.

BKM