I asked about DNS validation for Let's Encrypt? and was pointed here, and it looks like this method will be a pretty straightforward way for me to run an ACME client in the base OS to get and renew Let’s Encrypt certs using DNS validation.
But, of course, the cert will renew every couple of months. How can I most simply have Discourse load the new certs? I know launcher rebuild app will do it, but that seems pretty excessive–is there a less time-consuming command to accomplish this?
Perhaps I’m misunderstanding how the web SSL template works, but no rebuild should be necessary with an updated certificate. What I’d recommend is creating symlinks from /var/discourse/shared/standalone/ssl to /etc/letsencrypt/live/... or wherever the auto-renewed certs are stored.
I certainly wouldn’t think so–but nginx needs to know to use the new cert. In a non-Docker environment, I’d run something service nginx reload (without systemd) or systemctl reload nginx (with it) to do a graceful reload of the configuration and start using the new cert without interrupting existing connections.
First, the usual question: what is the reason you’re going through this process, rather than using automatically renewing certs via Let’s Encrypt? Manual certs are more complicated, require a deeper knowledge of Linux system administration and cryptography, and of course aren’t free.
What are the certs? Have you looked at them? The only thing I can think of that would be creating certs automatically is Let’s Encrypt. If they’re being created, they should be valid…
ECC is Elliptic Curve Cryptography, a type of key algorithm. Presumably that cert uses the ECDSA algorithm while the “regular” one uses a different algorithm.
I left the default in the app.yml which uses Let’s Encrypt. This was certainly an error from my side. The key is an empty file. I believe it comes from the fact that Let’s Encrypt fails to connect back to the machine.
Is there a command option to install a new TLS certificate without running “./launcher rebuild app”?
I ask because our servers are running on v2.4.0beta5 with a custom plugin that breaks on anything after v2.5. When I run “./launcher rebuild app,” my system magically gets upgraded to v2.6.0.beta1
I understand the right way to go about this would be to hire a developer to re-write the plugin for v2.6.0beta1, but the TLS cert expires in a month, and I feel concerned that I may not have enough time for them to complete the work.