Discourse deploy on lightsail: "connection refused"

Hello,

I recently followed the install-cloud guide to install discourse on an AWS lightsail instance. Despite closely following the instructions and starting from scratch several times I unfortunately get a “connection refused” error when attempting to access my forum.

The steps I followed were:

  1. Create a new lightsail instance
  2. Assign a static IP address
  3. Open port 443
  4. Point my subdomain (forum.procedural.audio) to the IP address
  5. Follow the discourse installation commands in the guide, including providing an email address for LETS_ENCRYPT
  6. Browsing to my forum… connection refused

Running ./discourse-doctor outputs that the discourse version at forum.procedural.audio is NOT FOUND. I can successfully receive a test email from discourse.

Running ping forum.procedural.audio doesn’t receive data back but does find the correct static IP.

I noticed the following errors in the logs

$ ./launcher logs app
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/forum.procedural.audio.cer": PEM_read_bio_X509_AUX() failed (S
SL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
(repeats many more times)

So it seems like the problem is SSL related, though I’m unsure how to fix it. In the shared/standalone/ssl/ directory there are four files

  1. forum.procedural.audio.cer (file is empty)
  2. forum.procedural.audio.key (file contains a key)
  3. forum.procedural.audio_ecc.cer (file is empty)
  4. forum.procedural.audio_ecc.key (file contains a key)

So I’m not sure if the .cer files being empty is part of the problem. I also notice, however, that the logs indicate it is looking for the file at /shared/ssl/* instead of /shared/standalone/ssl/*, which also seems relevant.

Thanks for your assistance.

1 Like

The problem is that your lightsail instance isn’t contactable externally. That’s what discourse-doctor was telling you - if you only opened port 443 this is probably why.

HTTPS on 443 isn’t going to work until you have a certificate. You don’t have a certificate (and those certificate files are empty) because let’s encrypt was unable to enroll due to the communications issue.

Assuming you assigned a static external address also open port 80 then try again. 80 will need to be open anyhow so that any client which connects via HTTP can be redirected.

I just checked and this hostname is invalid. You need to fix that first.

cannot resolve forum.procedural.audio: Unknown host
1 Like

Ports 22 and 80 are open by default for lightsail instances. So I don’t think opening port 80 is the solution.

Sorry do you mind elaborating more? In what sense is the hostname invalid?

forum.procedural.audio doesn’t appear in DNS, or to put it another way the hostname doesn’t resolve to an IP. I’ve just checked via CloudFlare and Google DNS, neither can find that hostname. If I can’t resolve it, then neither can discourse-doctor.

When did you create the ‘a’ record for your server? Have you checked their replication times?

Make sure this is fixed before you try to build the server again. Let’s Encrypt gives a finite number of tries to enrol/renew and when you hit that you won’t be able to get a certificate for seven days.

1 Like

I’ve had the domain in namecheap for two days, which points to route 53 (the extra layer if indirection is because route 53 doesn’t support .audio domains). The main domain entry has existed for most of those two days. The subdomain record there has existed for about an hour.

If this was the problem then I think running ping forum.procedural.audio from my instance would fail to resolve the IP address. But it the IP does resolve.

It doesn’t resolve externally, Let’s Encrypt uses DNS to ensure the server is what it asserts to be.

ping forum.procedural.audio                                                                                                               ✔  1909  10:59:47
ping: cannot resolve forum.procedural.audio: Unknown host

Hmm. Well DNS Checker - DNS Check Propagation Tool shows that the name resolves in a bunch of places, so maybe it’s a propagation issue. When I have 1.1.1.1 or 8.8.8.8 look it up, I get no response. NS-337.AWSDNS-42.COM does return it though, so you might just need to wait a while.

But discourse-setup will try to look up the address and see if it can connect to itself. If that is failing it’s typically either and DNS issue or that ports are not open.

1 Like

Hello,

It has been almost a week and I continue to be unable to deploy a forum. Does anyone have additional ideas? Ports 80 and 443 are open. I do not think this is a DNS issue – discourse-doctor does not find the discourse version at localhost (in addition to at forum.procedural.audio). Any help is appreciated.

nslookup.exe forum.procedural.audio
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find forum.procedural.audio: Server failed

It is a DNS issue.

3 Likes

Hmmm DNS Checker - DNS Check Propagation Tool shows it has propagated to 31/32 locations. I’ve never heard of DNS records taking over 144 hours to propagate. But now checking https://www.nslookup.io/domains/forum.procedural.audio/dns-records/#cloudflare I see Cloudflare and Google can’t resolve it, though the authoritative server can.

So I guess I was wrong but I’m unsure what to do about this. I’m unsure why discourse-doctor can’t find the discourse version at localhost.

So you have a dns problem.

And if you’ve done lots of rebuilds, you have a let’s encrypt rate limiting issue.

1 Like