Where Do I install the SSL for a production site?

Hi all,

we are getting ready to deploy this live for our organization. I am searching the forums and google left and right with no luck. I am trying to find out where to install the SSL cert. I played around with nginx.conf with no luck. I have seen the suggestion to follow the link https://github.com/frappe/erpnext/wiki/WSGI-Production-Deployment which doesn’t help me much.

Any input on which file specifically to add the SSL info would be great. If possible, I can install nginx manually and proxy to ERPnext though that might be over complicating the problem.

Thanks guys!

The https://github.com/frappe/erpnext/wiki/WSGI-Production-Deployment guide is outdated

You can add ssl related directives to the server block at /etc/nginx/conf.d/frappe.conf

Will be adding SSL to the config generator in frappe soon (hopefully by tomorrow).

Ah makes sense. Thanks for the quick reply. I will play around with this or wait to pull the update with the SSL conf.

Best,

Thanks,

(removed SSLv3 in another commit)
This is untested. If you have expertise, would love your suggestions on the ciphers.
Should I copy from https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/ssl.conf#L6 ?

1 Like

Update bench and try https://frappe.io/kb/deployment/configuring-https

Awesome! Got it working with no major issues, just a few problems on my end with the private key. Have it all set up now.

I added this to /etc/nginx/conf.d/frappe.conf to redirect http to https requests.

server {
listen 80;
server_name erp.YOURWEBSITEcom;
rewrite ^ https://erp.YOURWEBSITEcom $request_uri? permanent;
}

Thanks again for your support!

We were very successful with this:
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04

Just start at the right step in the instructions.
Of course you could use other crt and key files if already available.

We have our server behind an apache proxy as we need to run multiple servers behind one WAN address.

Contact me if someone needs to know how we did this. It took us a while to figure it out and we gladly share that knowledge.

Cheers
Heikki

1 Like

I believe this is a slightly more desirable way to do it:

            #redirect to https
            if ($scheme = http) {
                    return 301 https://$host$request_uri;
            }

Is there a way to add this to frappe so it automatically adds this directive when generating the config with bench setup nginx

Yes, I can change the template to spit out another server block for this (I guess would be faster than if) but should there be a way to switch it off?

@skylineservers I agree it should be a 301 http code. I tried adding it to the very end of the element

server {
                listen 80  default ;
...

and then executed systemctl reload nginx. It does not redirect. Could you give instructions on how to configure your code snippet?

this link is dead and should be updated to the current link location

Hi,

I followed the setup and got the one site on my multisite setup working with ssl but when i follow the same process for the other sites with same certificated then all ssl traffic points to the last site I made to ssl. None of the other urls point to their respective ssl site.

Am I doing something wrong?

I follow the instructions 3 times as it says but still can’t get HTTPS to work.

https://kb.frappe.io/kb/deployment/configuring-https

https://104.197.189.126/
http://104.197.189.126/

Anything I might be missing?

Did you set your site URL in site_config.json? set the hostname to your URL, then save, then run bench update to reload the URL.

Set this in your site_config.json:

"host_name": "https://104.197.189.126"

Sorry for a bunch of questions :smile:
What is the error?
Did you reload nginx?
Did it generate the right nginx config?
Is there anything in the nginx error logs?

My hunch is that nginx either hasn’t picked up the new config or there’s an error in the new config generated. Can you post the output?

Try @DrTrills method if you get a 404 (but that was required 8 months ago due to a bug, not anymore).

@pdvyas

Thanks, I got it to work. I was misplacing the certificate.

Another quick question. Which file do I need to edit in order to force HTTPS instead of HTTP?

Is is the frappe.conf or nginx.conf and which block should I edit?

Thanks

Should be done at the nginx level.

Remove listen 80 and replace it with the following.

This way you only allow HTTPS

    server {
        listen       443 ssl;
        server_name  yourdomainname.com;

	    ssl_certificate 	yourcertificatepemfilename;
        ssl_certificate_key 	yourcertificatekeyfilename;

        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
1 Like

Thanks @bohlian,

I added what you suggested to the nginx.conf file but it didn’t work, it didn’t forced https.

I’m currently using the following settings

server {

    listen 80;
    listen       443 ssl;
    server_name  104.189.197.126;
    ssl_certificate     path/to/my/certificate.crt;
    ssl_certificate_key  path/to/my/key.key;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;
    #FORCE HTTP
            if ($scheme = http) {
            return 301 https://$server_name$request_uri;
            }
    }

Still won’t force HTTPS, but when I go to https://104.197.189.126/, the NGINX index website displays, instead of my ERPNext site.

Any other suggestions?

Thanks

set the server name as the hostname, I see you’re not using that, so make that server block default for port 80 with,

listen 80 default;

The hostname on the site_config.json?

I only have this on the file, I have no hostname.

{
 "ssl_certificate": "/etc/nginx/conf.d/ssl/certificate.crt",
 "db_name": "xxxxxx",
 "ssl_certificate_key": "/etc/nginx/conf.d/ssl/key.key",
 "db_password": "xxxxxx"
}

It seems I’m overlooking something, as this I presume, is an easy task.

I added what you suggested to the nginx.conf file and now, the nginx server can’t be restarted, I get the following error on the error.log

2015/11/23 20:02:20 [emerg] 6950#0: a duplicate default server for 0.0.0.0:80 in /etc/nginx/conf.d/frappe.conf:73