-
Notifications
You must be signed in to change notification settings - Fork 26
SSL
Xieyt edited this page May 29, 2024
·
7 revisions
- SSL generation with
fmis done using certbot, which is Let's Encrypt client. -
fmsupported Letsencrypt challengesDNS01andHTTP01. - For
DNS01challenge,fmsupports only CloudFlare.
- When setting up a bench, ensure to include the
--sslflag in thefm createcommand. - When only the
--sslflag is given, if DNS credentials are provided infm_config.toml, the DNS challenge will be used by default and will fall back to HTTPS if the DNS challenge fails or if DNS credentials are not available
- Remember to point the domain's DNS to the appropriate location.
fm create example.com --ssl letsencrypt --letsencrypt-preferred-challenge http01 --letsencrypt-email [email protected]There are two ways to configure creds for this challenge. More info can be found here
- Use global config
fm_config.toml, if you want to set DNS creds which can be used by all benches. - Use
bench_config.toml, if you want to use creds for only one bench.
fm create example.com --ssl letsencrypt --letsencrypt-preferred-challenge dns01 --letsencrypt-email [email protected]To enable SSL in an existing bench, use the --ssl flag with the fm update command. This will utilize the Letsencrypt HTTP01 challenge to generate the SSL certificate. Additionally, remember to point the domain's DNS to the appropriate location.
- Update
bench_config.tomlorfm_config.tomlwith the required DNS creds attributes using this guide.
fm update example.com --ssl letsencrypt --letsencrypt-preferred-challenge dns01 --letsencrypt-email [email protected]- Remember to point the domain's DNS to the appropriate location.
fm update example.com --ssl letsencrypt --letsencrypt-preferred-challenge http01 --letsencrypt-email [email protected]Remember after changing the config files use please run command fm start <bench> to reflect the changes in bench.
- Update
bench_config.tomlwith the required DNS creds attributes using this guide.
This configuration will utilize the fm_config.toml which is global configuration attributes to get api_key or api_token.
-
Update global config file
fm_config.tomlwith the required DNS creds attributes using this guide. -
Update bench config file
bench_config.tomlwith the following
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"- Remember to point the domain's DNS to the appropriate location.
- Update
bench_config.tomlwith the following
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# This is used for notifications, recovery.
email = "[email protected]"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "http01"To remove SSL from an existing bench, use the –ssl flag with the fm update command
fm update example.com --ssl disableor alternatively you can use the fm ssl delete command
fm ssl delete example.com- For automatic SSL certificate renewal, add the following cron job. This cron will execute at midnight on the first day of each month.
- Configure this in
hostmachine not in the containers.
0 0 1 * * fm ssl renew example.com >> ~/frappe/logs/renew.logs0 0 1 * * fm ssl renew --all >> ~/frappe/logs/renew.logs- Cloudflare credentials can be configured using two type of authentication. Please read this to understand
api_keyandapi_tokenutilization and creation process requirements.
- Can be utilized by all the benches.
- Add these attributes to
fm_config.tomlfile.
...
[letsencrypt]
# email which is used with api_key for the Global API key of Cloudflare.
email = '[email protected]'
# Cloudflare Global API Key for Let's Encrypt DNS01 Challenge.
api_key = '0123456789abcdef0123456789abcdef01234' ...
[letsencrypt]
# This is used for notifications, recovery.
email = '[email protected]'
# Cloudflare API token for Let's Encrypt DNS01 Challenge.
api_token = '0123456789abcdef0123456789abcdef01234567' Add these attributes to the specific bench's bench_config.toml file.
...
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"
# email which is used with api_key for the Global API key of Cloudflare.
email = '[email protected]'
# Cloudflare Global API Key for Let's Encrypt DNS01 Challenge.
api_key = "0123456789abcdef0123456789abcdef01234"...
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"
# This is used for notifications, recovery.
email = '[email protected]'
# Cloudflare API token for Let's Encrypt DNS01 Challenge.
api_token = '0123456789abcdef0123456789abcdef01234567'