Discourse not accessible - SSL Issue

Hi there,

Forum is here: https://forum.survivingeconomicabuse.org/

I’ve been told this is now inaccessible due to the expired SSL certificate.

I set the site up last summer and the forum was secured but obviously it’s been unable to renew the cert (I think). I’ve looked through various threads on how to force the certificate etc but nothing seems to work. There was also a suggestion of deleting the existing certificates and rebuilding the app, that hasn’t worked either.

Wondering if anyone can give me some pointers on this, I’m not bad with command line but no expert by any means.

Thanks!

You need to rebuild.

  cd /var/discourse
 ./launcher rebuild app

I have tried rebuilding a few times without any success, but trying again just incase

I’ve tried rebuilding and the site is the same unfortunately

Run this first

apt-get update
apt-get upgrade

Interesting, I’m getting the default apache page under http:// now? That’s weird isn’t it?

No its not. Your SSL expired, so you can browser under http.

That suggests that you have apache running on your server and that you should remove or disable it. And if you’ve done a bunch of rebuilds, you probably have been rate lmiited and can’t get a new cert for a week.

Please correct me if I’m wrong: you can also check /var/discourse/shared/standalone/letsencrypt/acme.sh.log to look for errors.

I’ve removed apache but I still can’t access the forum

Is there anything else I can do at this point to fully understand the issue?

I get permission denied trying this…

As far as I know, by default, Discourse doesn’t work without https.

However, maybe you can try to comment these lines (by appending a # in /var/discourse/container/app.yml and rebuild the app?

#  - "templates/web.ssl.template.yml"
#  - "templates/web.letsencrypt.ssl.template.yml"

Are you logged in as root on your server? How do you connect to it?

I had actually commented them out previously so I added them back and rebuild and no change.

I’m logged in via root on DigitalOcean

If you don’t have any other application on your server, you could simply format/reset to have a fresh server and reinstall Discourse (download your backups before!) and then restore your Discourse backup.

But as Jay says,

That said, I’m wondering. In this case, would commenting the SSL lines in app.yml make the forum work in HTTP, and after a week we could uncomment the line, do a rebuild, and get a working certificate?

What happens when you try?

Did you try a

./launcher start app

But you probably need to

  ./launcher rebuild app

But, as I stated earlier, you have likely rebuilt enough times that you are hitting let’s encrypt’s rate limits. You can either wait a week or try Setting up Let’s Encrypt with Multiple Domains and just add some other subdomain (that you first create a DNS entry pointing to your server) and try rebuilding again.

You can look at

  tail  /var/discourse/shared/standalone/logs/var-log/nginx/error.log

to see nginx errors.

start app = “Nothing to do, your container has already started”

I’ve rebuild recently without making any additional changes.

Ive performed: ls -l /var/discourse/shared/standalone/ssl

And it looks like I have new certs?

Screenshot 2022-02-04 at 16.18.21753×132 3.54 KB

tail /var/discourse/shared/standalone/logs/var-log/nginx/error.log

gives me a no such file or directory error?

Try with sudo:
sudo nano /var/discourse/shared/standalone/letsencrypt/acme.sh.log

@stuartleech I see your issue is still not resolved. is there something i can help with ?

Sorry, that was supposed to be this:

root@forum:~# tail  /var/discourse/shared/standalone/log/var-log/nginx/error.log
2022/02/04 17:04:01 [emerg] 19332#19332: cannot load certificate "/shared/ssl/forum.survivingeconomicabuse.org.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

I’m working on this and still having ssl issues. I can’t tell if the ip has been rate limited or there is some networking or firewall issue that I’m not seeing.

FWIW, this helped me fix my SSL issue. Thank you!