Only one SSL certificate per bench instance

Frappe Framework
21

Hey,

This is what I did recently - probably a hack, but worked for me:

  1. installing certbot on the machine (which I think you have already one)
  2. run bench setup add-domain <domain> --site <site> command for each site to make sure each site_config.json had the domain value added.
  3. did the bench setup nginx thing which would configure necessary blocks in nginx.conf in ./config/ of frappe-bench. It is important that you do the add-domain command for all necessary sites before this.
  4. Then stopped the nginx service using service nginx stop as some part of certbot validation uses the port being used by nginx.
  5. Then, for each site, did the sudo certbot certonly --standalone. Once for each site. This ended up creating folders in /etc/letsencrypt/.... Just follow instructions on screen.
  6. Once the folders are available, modify the site_config.json file as mentioned by a post above (the ssl_certificate and ssl_certificate_key values). At this point there are no further changes required in the site_config.json.
  7. At this point, I took backup of nginx.conf because next step would modify it.
  8. Then, sudo certbot certonly --nginx - which would rebuild the nginx.conf for you. Now, at this point you will notice that the original and new nginx.conf would have deviated. This command would comment out some part of the blocks which bench setup nginx had configured.
  9. Then, again, I did sudo certbot certonly -- standalone - the trick is, at this point it would ask you which certificates to validate and I mentioned all sites which needed to be up.
  10. Restart nginx service by sudo service nginx restart - generally it would fail if your configuration was wrong (in case you manually edited it). Otherwise, check the site_config.json in case of failure. System logs has mention of what could have failed.

The problem is that I too wasn’t able to figure out the step 8 and 9 - and in most cases only a single site worked for me a time - usually the first one as all others would just simply fail in validation. But, if we create certificates individually (such that each has a folder in /etc/letsencrypt/live) and then reconfigure certbot to renew certificate, it would somehow reconfigure them. (I might be wrong and my gut feeling says that step 9 is irrelevant).
I think the step 8 is the one which the document somehow gets wrong (or incomplete) - the certbot changed nginx configuration is pretty different from what bench setup nginx does - but you need both. First one to create shell which certbot will use, and second to actually link to certificates.

Now whenever I have to add a new site, I do the above steps and it seems to work. (And yes, I do have brain-fog in some of the steps as to ‘why’ that is required - but, who cares until it works :smiley:)

I hope it helps. I have a server working with about 4 separate sites, each with its own valid license. That is Debian 10 - but I don’t think it has any particular OS level dependency.

23

I shall try this

24

This post has helped me figure out the solution to how to have both separate sites with different domains to work.

When issuing sudo certbot --nginx

You don’t have to select each domain separately, you have to choose the option to install the certificate on both domains at the same time.

Doing this will fix all the issues and both sites will work… at least it did for me, on v13 with ubuntu 20

1 Like