Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup

So you’d like to enable SSL for your Docker-based Discourse setup? Let’s do it!

This guide assumes you used all the standard install defaults – a container configuration file at/var/discourse/containers/app.yml and Discourse docker is installed at: /var/discourse

Buy a SSL Certificate

Go to namecheap or some other SSL cert provider and purchase a SSL cert for your domain. Follow all the step documented by them to generate private key and CSR and finally get your cert. I used the apache defaults, they will work fine.

Keep your private key and cert somewhere safe.

Place the Certificate and Key

Get a signed cert and key and place them in the /var/discourse/shared/standalone/ssl/ folder

Private key is:


Cert is


File names are critical do not stray from them or your nginx template will not know where to find the cert.

Have a look at your app.yml configuration file to see where the shared folder is mounted.

  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared

In essence the files must be located at /shared/ssl/ssl.key /shared/ssl/ssl.crt inside the container.

For all clients to find a path from your cert to a trusted root cert (i.e., not give your users any warnings), you may need to concatenate the cert files from your provider like so:

cat "Your PositiveSSL Certificate" "Intermediate CA Certificate" "Intermediate CA Certificate" >> ssl.crt

Configure NGINX

Add a reference to the nginx ssl template from your app.yml configuration file:

  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/sshd.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"

Configure your Docker Container

Tell your container to listen on SSL

  - "80:80"
  - "2222:22"
  - "443:443"

Bootstrap your Docker Container

Rebuild your app

./launcher rebuild app

Profit, you are done!


Be sure to read through the logs using

./launcher logs app

If anything goes wrong.

How this works

The template used is vaguely based on @igrigorik’s recommended template with two missing bits:

  • I skipped OSCP stapling cause it involves a slightly more complex setup
  • I had to skip session tickets setting which is not available until we use mainline

The image has rewrite rules that will redirect any requests on either port 80 or 443 to https://DISCOURSE_HOST_NAME , meaning that if you have a cert that covers multiple domains they can all go to a single one.

Customising this setup is very easy, see:

You can make a copy of that file and amend the template as needed.

The advantage of using templates and replace here is that we get to keep all the rest of the Discourse recommended NGINX setup, it changes over time.

Testing your config

See SSL Server Test (Powered by Qualys SSL Labs) to make sure all is working correctly. It is possible for some browsers and OS combinations to be happy with partially configured https, so check it here first.

I need help with SSL
Broken image since https
NGINX Proxy Mixed Content Error
SSL on Discourse / DO sub-domain of Heroku hosted domain
Troubles installing SSL
Go Daddy SSL certificate installation error in D.O. server
How to Set Up SSL in Discourse
My site is down with a weird SSL notification
Digital Ocean one click Intel makes me configure Discourse every time?
Setting up HTTPS support with Let's Encrypt
Https with let's encrypt behind a vpn?
Cannot install custom SSL new_file: no such file
I have a very difficult problem installing ssl - please help
Favicon is failing to load for logged-in users
SSL Let's Encrypt Error After Installation
Cannot connect to IP address and no errors in log
How to install SSL certificate in Discourse
Can i change Lets Encrypt to EssentialSSL / Wildcard SLL
Install Discourse on Amazon WS with Cloudflare
SSL installation
How to modify Dockerfile?
DNS validation for Let's Encrypt?
Hit Let's encrypt renewal limit
How to force redirect from https to http on Docker installation
Running other websites on the same machine as Discourse
Running other websites on the same machine as Discourse
Latest update requires cache purge in CloudFlare
Install Paid SSL with Cloudflare on Discourse
Force Discourse to use SSL/HTTPS through CloudFlare
Unable To Connect/Connection Refused
Straightforward direct-delivery incoming mail
How Do I Uninstall SSL Certificate?
Running other websites on the same machine as Discourse
SSL + AWS ELB >> 503 Service Unavailable (Back-end server is at capacity)
Transfer from bitnami to normal discourse
Undo all my SSL-related changes?
Site down after enabling SSL
Unable To Connect/Connection Refused

Quick question. What is the best way to handle intermediate certs? Should I include the .pem file by modifying the template and adding a line like:

ssl_certificate /shared/ssl/bundle.pem;

Will this work, or do I need to do something else? Perhapse cat everything into a single .pem? Thanks.

1 Like

Nginx doesn’t support intermediate certs as separate files, so you’ll need to concatenate your intermediate cert and your server cert together to create a chain certificate:

cat server_certificate.pem intermediate_cert.pem > chain_cert.pem

Thanks for this guide. Worked flawlessly, still exact advice in 2018.


Thank you for the guide. Still works in May 2018.

Just for a later newbie like me:
I used godady ssl certificate. Godaddy will give you two .crt files. One is a randomly named file like “bd1ab39ff96d6ed5.crt”, another one is “gd_bundle-g2-g1.crt”. The randomly named one is “Your PositiveSSL Certificate”, and the “gd_bundle-g2-g1.crt” is (godaddy’s, I guess) “Intermediate CA Certificate” as mentioned below. If you get them in the wrong order, you will get a key values mismatch error. Check here for more.

1 Like

Thank you for the guide.

I was able to enable ssl after following the guide. But now its redirecting http request to https which i do not want. I want to use http and https both. If user enter http in url is should open in http mode. if user enter https then it should open https. How can i achieve this?

1 Like

Best practice nowadays is to always use HTTPS if available - under what circumstances do you not want this to happen?


17 posts were split to a new topic: Static Pages plugin causing login problem

Hi, I installed my discourse following the Beginner Docker install guide
Can I follow this guide to set my SSL?

I would not recommend it. As you followed the official guide, simply re-run ./discourse-setup and provide an email when requested for Let's Encrypt account email?. Providing an email there will obtain a SSL cert from Let’s Encrypt and configure renewal for you, no additional effort needed.


Thanks! I just bought an SSL from Godaddy… I did not know Let’s Encrypt until I found this guide… So can I use my paid SSL?

Ah, yes. If you already bought an SSL cert this is the guide for you.


Thanks. Another question, do you know whats difference between the free SSL and paid SSL? I’m not familiar with SSL.

There isn’t a technical difference, either will work. The only practical difference is that one is free, and the other you paid for :wink:.

1 Like

One might call it scammed for :-/

If I can get the money back, I will donate it to the Discourse.

A small question, the files must be located at /shared/ssl/ssl.key or ‘/shared/standalone/ssl/ssl.key’? Sorry my reading is poor. I see both these two paths

They should be at shared/standalone/ssl/ssl.key outside the container. The path without standalone is the location the file will be inside the container.

The other difference is that the paid certificate will have to be manually upgraded when it expires. So, it’s harder now and will be harder later. And if you use the paid certificate now, you’ll need to undo that stuff to switch to the free certificate later.

If you like pain, you should definitely take these steps to use the cert you bought. Otherwise, just run the setup script again, hit return a few times and type your endo address.


Thanks! Understand now.