-
Notifications
You must be signed in to change notification settings - Fork 29
SSL
- SSL generation with
fm
is done using Let's Encrypt clientCertbot
. -
fm
supported Letsencrypt challengesDNS01
andHTTP01
. - For
DNS01
challenge,fm
only supports CloudFlare.
- When setting up a bench, ensure to include the
--ssl
flag in thefm create
command. - When only the
--ssl
flag is given, if DNS credentials are provided infm_config.toml
, the DNS challenge will be used by default and will fall back to HTTPS if the DNS challenge fails or if DNS credentials are not available
- Remember to point the domain's DNS to the appropriate location.
fm create example.com --ssl letsencrypt --letsencrypt-preferred-challenge http01 --letsencrypt-email dummy@email.com
There are two ways to configure creds for this challenge. More info can be found here
- Use global config
fm_config.toml
, if you want to set DNS creds which can be used by all benches. - Use
bench_config.toml
, if you want to use creds for only one bench.
fm create example.com --ssl letsencrypt --letsencrypt-preferred-challenge dns01 --letsencrypt-email dummy@email.com
To enable SSL in an existing bench, use the --ssl
flag with the fm update command. This will utilize the Letsencrypt HTTP01
challenge to generate the SSL certificate. Additionally, remember to point the domain's DNS to the appropriate location.
- Update
bench_config.toml
orfm_config.toml
with the required DNS creds attributes using this guide.
fm update example.com --ssl letsencrypt --letsencrypt-preferred-challenge dns01 --letsencrypt-email dummy@email.com
- Remember to point the domain's DNS to the appropriate location.
fm update example.com --ssl letsencrypt --letsencrypt-preferred-challenge http01 --letsencrypt-email dummy@email.com
Remember after changing the config files use please run command fm start <bench>
to reflect the changes in bench.
- Update
bench_config.toml
with the required DNS creds attributes using this guide.
This configuration will utilize the fm_config.toml
which is global configuration attributes to get api_key
or api_token
.
-
Update global config file
fm_config.toml
with the required DNS creds attributes using this guide. -
Update bench config file
bench_config.toml
with the following
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"
- Remember to point the domain's DNS to the appropriate location.
- Update
bench_config.toml
with the following
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# This is used for notifications, recovery.
email = "cloudflare@example.com"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "http01"
To remove SSL from an existing bench, use the –ssl flag with the fm update command
fm update example.com --ssl disable
or alternatively you can use the fm ssl delete command
fm ssl delete example.com
- For automatic SSL certificate renewal, add the following cron job. This cron will execute at midnight on the first day of each month.
- Configure this in
host
machine not in the containers.
0 0 1 * * fm ssl renew example.com >> ~/frappe/logs/renew.logs
0 0 1 * * fm ssl renew --all >> ~/frappe/logs/renew.logs
- Cloudflare credentials can be configured using two type of authentication. Please read this to understand
api_key
( CloudFlare Global API Key ) andapi_token
( CloudFlare API Token ) utilization and creation process requirements.
- Can be utilized by all the benches.
- Add these attributes to
fm_config.toml
file.
...
[letsencrypt]
# email which is used with api_key for the Global API key of Cloudflare.
email = 'cloudflare@example.co'
# Cloudflare Global API Key for Let's Encrypt DNS01 Challenge.
api_key = '0123456789abcdef0123456789abcdef01234'
...
[letsencrypt]
# This is used for notifications, recovery.
email = 'cloudflare@example.co'
# Cloudflare API token for Let's Encrypt DNS01 Challenge.
api_token = '0123456789abcdef0123456789abcdef01234567'
Add these attributes to the specific bench's bench_config.toml
file.
...
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"
# email which is used with api_key for the Global API key of Cloudflare.
email = 'cloudflare@example.co'
# Cloudflare Global API Key for Let's Encrypt DNS01 Challenge.
api_key = "0123456789abcdef0123456789abcdef01234"
...
[ssl]
# Sets the SSL type to be used by the bench, in this case, "letsencrypt" for Let's Encrypt.
ssl_type = "letsencrypt"
# Controls the HSTS (HTTP Strict Transport Security) header used by the bench.
# When set to "off", the HSTS header will not be included.
hsts = "off"
# Specifies the preferred Certbot challenge method to be used for Let's Encrypt certificate validation.
preferred_challenge = "dns01"
# This is used for notifications, recovery.
email = 'cloudflare@example.co'
# Cloudflare API token for Let's Encrypt DNS01 Challenge.
api_token = '0123456789abcdef0123456789abcdef01234567'