# ERPNext Wildcard SSL generation process

## Automated Process

Add custom domain to your site

```plaintext
bench setup add-domain www.example.com
bench setup add-domain example.com
```

Setup lets encrypt for the site

```plaintext
sudo -H bench setup lets-encrypt site.org --custom-domain *.example.com
```

Setup NGINX

```plaintext
bench setup nginx 
sudo service nginx restart 
```

## Manual Process

Run this to generate Wildcard SSL

```plaintext
sudo certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.example.com, example.com"
```

* After the ssl creation with certbot,
    
* check in the nginx.conf and see if the certs has been applied correctly (it should because the certbot does it automatically).
    
* don’t run bench setup nginx yet (this will remove the cert path from nginx.conf)
    
* enter the cert paths into site\_config.json (for single domain) or common\_site\_config.json (for wildcard) then run bench setup nginx
    

For cert path insertion you can see follow these formats (choose which suit your need):

In common\_site\_config.json for wildcard certs:

```plaintext
"wildcard": {
  "domain": "*.example.com",
  "ssl_certificate": "/etc/letsencrypt/live/example.com/fullchain.pem",
  "ssl_certificate_key": "/etc/letsencrypt/live/example.com/privkey.pem"
 }
```

In site\_config.json for site with custom domain (when there are multi domains or subdomains with each own ssl):

```plaintext
 "domains": [
    {
   "domain": "site1.example.com",
   "ssl_certificate": "/etc/letsencrypt/live/site1.example.com/fullchain.pem",
   "ssl_certificate_key": "/etc/letsencrypt/live/site1.example.com/privkey.pem"
    },
    {
   "domain": "site2.example.com",
   "ssl_certificate": "/etc/letsencrypt/live/site2.example.com/fullchain.pem",
   "ssl_certificate_key": "/etc/letsencrypt/live/site2.example.com/privkey.pem"
    }
  ]
```

then run `sudo service nginx restart`

After that you can create a crontab to renew your certificate automatically

* as root user run `crontab -e`
    

then Add the following lines:

```plaintext
# Renew Let's encrypt
0 12 * * * certbot renew --quiet
```
