Skip to content

Setup LetsEncrypt Wildcard SSL certificate

Jump to bottom
Kevin Thorne edited this page Apr 21, 2020 · 1 revision

Pre-Requisites

  • You should have the bench installed
  • Private IP mapped with Domain

How To Setup?

Your setup should be configured for DNS Based multitenancy mode. By default, this mode is disabled. You can switch it on / off using the command,

bench config dns_multitenant on

After setting up DNS Multitenancy, run the command to generate Wildcard SSL

sudo bench setup wildcard-ssl erpnext.xyz --email test@example.com

While generating SSL certificate, the Let's Encrypt verifies the domain ownership. In ownership verification, the Certbot will share a text record to add to your DNS.

Please deploy a DNS TXT record under the name

_acme-challenge.erpnext.xyz with the following value:
J50GNXkhGmKCfn-0LQJcknVGtPEAQ_U_WajcLXgqWqo

Note

By default, the bench requests certbot to generate the certificate for the wildcard domain as well as for the base domain. Thus the Certbot shares two text reccords. You have to add two DNS text records.

You can escape base domain, while generating SSL certificate, using --exclude-base-domain eg:

sudo bench setup wildcard-ssl erpnext.xyz --exclude-base-domain

How to check text record propagation over DNS?

As Certbot shares two text records against _acme-challenge, we need to verify first text record propagation before updating value for second text record.

You can use dig command to check text record propagation eg:

dig -t TXT _acme-challenge.erpnext.xyz

On successful completion of above process, you will see following message from certbot IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:

    /etc/letsencrypt/live/domain.com/fullchain.pem

    Your key file has been saved at:

    /etc/letsencrypt/live/domain.com/privkey.pem

    Your cert will expire on 2018-11-02. To obtain a new or tweaked

    version of this certificate in the future, simply run certbot-auto

    again. To non-interactively renew all of your certificates, run

    "certbot-auto renew"

Auto renewal (experimental)

NB Although deemed to be 'experimental', this worked fine for me with the standard install method today ie Aug 18. Obviously using a non Ubuntu, or non standard server setup is potentially possible to affect the operation of auto-renew

Login as root or a user with superuser privileges, run crontab -e and enter:

# renew letsencrypt certificates on 1st monday of every month and get an email if it gets executed
MAILTO="mail@example.com"
0 0 1-7 * * [ "$(date '+\%a')" = "Mon" ] && sudo service nginx stop && /opt/certbot-auto renew && sudo service nginx start

If you encounter issue with certificate generation you can raise new topic(under help category) at https://community.letsencrypt.org/

Custom Footer Page

Clone this wiki locally