ERPNext Wildcard SSL generation process
Run this to generate Wildcard SSL
sudo certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com, example.com"
- After the ssl creation with certbot,
- check in the nginx.conf and see if the certs has been applied correctly (it should because the certbot does it automatically).
- don’t run bench setup nginx yet (this will remove the cert path from nginx.conf)
- enter the cert paths into site_config.json (for single domain) or common_site_config.json (for wildcard) then run bench setup nginx
For cert path insertion you can see follow these formats (choose which suit your need):
In common_site_config.json for wildcard certs:
"wildcard": {
"domain": "*.example.com",
"ssl_certificate": "/etc/letsencrypt/live/example.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/example.com/privkey.pem"
}
In site_config.json for site with custom domain (when there are multi domains or subdomains with each own ssl):
"domains": [
{
"domain": "site1.example.com",
"ssl_certificate": "/etc/letsencrypt/live/site1.example.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/site1.example.com/privkey.pem"
},
{
"domain": "site2.example.com",
"ssl_certificate": "/etc/letsencrypt/live/site2.example.com/fullchain.pem",
"ssl_certificate_key": "/etc/letsencrypt/live/site2.example.com/privkey.pem"
}
]
then run sudo service nginx restart
After that you can create a crontab to renew your certificate automatically
as root user run
crontab -e
then Add the following lines:
# Renew Let's encrypt 0 12 * * * certbot renew --quiet