Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup

(Sam Saffron) #1

So you’d like to enable SSL for your Docker-based Discourse setup? Let’s do it!

This guide assumes you used all the standard install defaults – a container configuration file at/var/discourse/containers/app.yml and Discourse docker is installed at: /var/discourse

Buy a SSL Certificate

Go to namecheap or some other SSL cert provider and purchase a SSL cert for your domain. Follow all the step documented by them to generate private key and CSR and finally get your cert. I used the apache defaults, they will work fine.

Keep your private key and cert somewhere safe.

Place the Certificate and Key

Get a signed cert and key and place them in the /var/discourse/shared/standalone/ssl/ folder

Private key is:


Cert is


File names are critical do not stray from them or your nginx template will not know where to find the cert.

Have a look at your app.yml configuration file to see where the shared folder is mounted.

  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared

In essence the files must be located at /shared/ssl/ssl.key /shared/ssl/ssl.crt inside the container.

For all clients to find a path from your cert to a trusted root cert (i.e., not give your users any warnings), you may need to concatenate the cert files from your provider like so:

cat "Your PositiveSSL Certificate" "Intermediate CA Certificate" "Intermediate CA Certificate" >> ssl.crt

Configure NGINX

Add a reference to the nginx ssl template from your app.yml configuration file:

  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/sshd.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"

Configure your Docker Container

Tell your container to listen on SSL

  - "80:80"
  - "2222:22"
  - "443:443"

Bootstrap your Docker Container

Rebuild your app

./launcher rebuild app

Profit, you are done!


Be sure to read through the logs using

./launcher logs app

If anything goes wrong.

How this works

The template used is vaguely based on @igrigorik’s recommended template with two missing bits:

  • I skipped OSCP stapling cause it involves a slightly more complex setup
  • I had to skip session tickets setting which is not available until we use mainline

The image has rewrite rules that will redirect any requests on either port 80 or 443 to https://DISCOURSE_HOST_NAME , meaning that if you have a cert that covers multiple domains they can all go to a single one.

Customising this setup is very easy, see:

You can make a copy of that file and amend the template as needed.

The advantage of using templates and replace here is that we get to keep all the rest of the Discourse recommended NGINX setup, it changes over time.

Testing your config

See SSL Server Test (Powered by Qualys SSL Labs) to make sure all is working correctly. It is possible for some browsers and OS combinations to be happy with partially configured https, so check it here first.

Need help installing SSL Cert
I need help with SSL
Broken image since https
Implementing SSL for Discourse
SSL on Apache Server
Nginx, nginx, and docker
Running other websites on the same machine as Discourse
Using self signed certificates for discourse
Using self signed certificates for discourse
Latest update requires cache purge in CloudFlare
Install Discourse on Amazon WS with Cloudflare
Install Paid SSL with Cloudflare on Discourse
Persistent formatting errors in app.yml with tabs and spaces
Persistent formatting errors in app.yml with tabs and spaces
Implementing SSL for Discourse
Discourse Premium BT
Running Discourse out of a folder, on a server running Wordpress with Apache, with SSL support
Unable to install plugins
Troubleshooting 301 redirect "This webpage has a redirect loop" error with CloudFlare SSL
Problem using discourse using vpn
Troubles installing SSL
Site uses https but links only recognised with http
Force Discourse to use SSL/HTTPS through CloudFlare
SSL install confusion
Empty .cer file with letsencrypt
Straightforward direct-delivery incoming mail
Can not rebuild my app
Can not rebuild my app
Enabling Cloudfront free SSL for discourse subdomain hosted on Lightsail
All user with IP
Transfer from bitnami to normal discourse
SSL + AWS ELB >> 503 Service Unavailable (Back-end server is at capacity)
Site down after enabling SSL
Unable To Connect/Connection Refused
How to Set Up SSL in Discourse
My site is down with a weird SSL notification
Setting up Let's Encrypt
Free Cloudflare + Discourse
Free Cloudflare + Discourse
NGINX Proxy Mixed Content Error
./launcher rebuild app Failed getting error
Upgrade discourse on docker fails but not really?
Firefox 32 on Windows throws sec_error_unknow_issuer
Will Discourse patch against POODLE SSLv3 vulnerability?
Most liked posts in Topic
SSL on Discourse / DO sub-domain of Heroku hosted domain
How to force redirect from https to http on Docker installation
Running other websites on the same machine as Discourse
(Tommy Mancino) #18

Quick question. What is the best way to handle intermediate certs? Should I include the .pem file by modifying the template and adding a line like:

ssl_certificate /shared/ssl/bundle.pem;

Will this work, or do I need to do something else? Perhapse cat everything into a single .pem? Thanks.

(Lee_Ars) #19

Nginx doesn’t support intermediate certs as separate files, so you’ll need to concatenate your intermediate cert and your server cert together to create a chain certificate:

cat server_certificate.pem intermediate_cert.pem > chain_cert.pem

SSL certificate issue on firefox