Setup SSL properly

ci2016 · March 16, 2016, 4:55pm

Hello there,

I am trying to setup ssl properly. I’ve used the following instructions:

The changes do not affect anything on erpnext.

So calling http:// will still be unsecured and does not redirect to https. Of course, I did not even come to this point, since the https-version does not work at all.

Calling https://mysite.local gives me the following error in Firefox:

ssl_error_rx_record_too_long

In Chrome:

ERR_SSL_PROTOCOL_ERROR

I hope someone knows about this. Thank you in advance.

Kind regards

Christoph

william · March 16, 2016, 5:12pm

I had to do manually force https redirection when I bought an SSL certificate, I modified the frappe.conf file located on /etc/nginx/conf.d

Let me try to do this and I’ll give you my output. @ci2016

william · March 16, 2016, 5:47pm

UPDATE

@ci2016

Ok, so I added a separate block on the frappe.conf file

server {
    listen 80;
    server_name site.domain.com;
    return 301 https://$host$request_uri;
}

Then restarted nginx
sudo service nginx restart

Now http redirects to https

Let me know how it works with you.

james.graves · March 16, 2016, 11:02pm

The nginx SSL configuration is worth a review before being put into production.

The allowed ciphers include RC4, which is now considered to be insecure.

I am working on a PR to update this, and perhaps add a few more options in the template (bench/bench/templates/nginx.conf).

ci2016 · March 17, 2016, 12:14am

Thank you for your code and instruction. This works for redirecting http to https and so force https, which is a good practice.

But, of course, this doesn’t solve my primary problem, that calling the ERP via https gives me the following error in firefox:

ssl_error_rx_record_too_long

and in Chrome:

ERR_SSL_PROTOCOL_ERROR

william · March 17, 2016, 12:26am

Can you paste your site_config.json file?

ci2016 · March 17, 2016, 9:48pm

Here you go:

{
“ssl_certificate”: “/etc/nginx/ssl/nginx.crt”,
“nginx_port”: 443,
“ssl_certificate_key”: “/etc/nginx/ssl/nginx.key”,
“db_password”: “mydbpassword”,
“db_name”: “mydbname”,
“host_name”: “https://subdomain.hostname.tld”,
“developer_mode”: 0
}

ci2016 · March 26, 2016, 4:55pm

I’ve updated my site_config.json based on Home · frappe/bench Wiki · GitHub

Now its the following:

{
“ssl_certificate”: “/etc/letsencrypt/live/sub.domain.tld/fullchain.pem”,
“nginx_port”: 443,
“ssl_certificate_key”: “/etc/letsencrypt/live/sub.domain.tld/privkey.pem”,
“db_password”: “mydbpassword”,
“db_name”: “mydbname”,
“host_name”: “https://sub.domain.tld”,
“developer_mode”: 0
}

I still have the same error.

ci2016 · April 23, 2016, 12:57pm

It still doesn’t work. The link above (Home · frappe/bench Wiki · GitHub) also got deleted.

sunilsrikumar · April 23, 2016, 2:36pm

@ci2016 One step is missing.

Step 1: After configuring site_config.json like this

$ cd frappe-bench/sites/{{site_name}}
Add the following two lines to your site_config.json
"ssl_certificate": "/etc/letsencrypt/live/example.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/example.com/privkey.pem"

Step 2: On multi-tenant environment by

bench config dns_multitenant on

Step 3: Regenerate the nginx configuration followed by nginx restart

$ bench setup nginx
$ sudo service nginx restart

Bench will configure the SSL block automatically.

Sunil
Nescode // Partner for ERPNext

ci2016 · April 23, 2016, 3:42pm

@sunilsrikumar Thank you. Unfortunately the error is still the same.

ci2016 · April 23, 2016, 3:47pm

I don’t know why, but in my /etc/nginx/conf.d/frappe.conf both server entries were listening to port 443. After changing the first one to 80 it worked.