Discourse version at forum.abc.com.au: NOT FOUND

Discourse installed using official guide on github
Everything went well. but getting 502 error while accessing forum

tried checking rails production logs, and nothing I could see production_error or sidekiq logs

did see this with tail
Creating scope :open. Overwriting existing method Poll.open.
Creating scope :open. Overwriting existing method Poll.open.
Can’t reach ‘/images/welcome/discourse-edit-post-animated.gif’ to get its dimension.

running discourse doctor says

Discourse version at forum.abc.com.au: NOT FOUND

tried disabling ssl and rebuild it, able to access the forum.

There must be problem with ssl, which I can’t figure out. While installing ssl connection to IP resolution succeeded

Pleasae help

1 Like

It sound like before you enabled https you linked to non secure images.

1 Like

@pfaffman Thank you for the reply.

It’s a fresh install. No way we can manually link

After digging into all logs, could found this is the error is with LetsEncrypt cert issuance. Anyone facing similar issue might help below.

first I saw this error in Nginx logs

cannot load certificate "/shared/ssl/forum.abc.com.au.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

then tried to check ssl logs

forum.abc.com.au:Verify error:CAA record for forum.abc.com.au prevents issuance

Before running discourse install script for sub domain we need to verify if main domain is having any CAA records and check the Certificate Authority if it’s not LetsEncrypt (In my case, main domain CAA is comodoca.com) , your letsencrypt certs for discourse won’t be issued

Fix: You need to add CAA record for discourse subdomain as mentioned here
Acme:error:caa :: CAA record for ... prevents issuance - Help - Let's Encrypt Community Support

Delete the old cert files and try rebuilding again

rm -rf /var/discourse/shared/standalone/ssl
rm -rf /var/discourse/shared/standalone/letsencrypt
./launcher rebuild app

If you know a way to test for those records that requires no extra software, I’d consider having discourse-setup test for it, but I’ve never seen this before.

Nice work figuring that one out!

It’s a fair assumption that if you own a domain and know what CAA is to have been able to configure it that your understand the implications of let’s encrypt.


dig caa {domain.tld} will return the record.
We want to first search if it returns any record
Then if returns whether the issue authority is other than letsencrypt.org

But this is very rare case. Not sure if we want to include that.


Correct. if I own a domain, I know what I’m doing with it.
I was helping somebody, this problem might have with hosts that are using cpanel and providing autossls with other providers such as comodo. They add bunch of records by default when they create a site (WordPress) in cpanel

Anyway, this is very rare case, have seen this for the first time

We see CAA crop up here occasionally, the default response we get when we point out that they’ve restricted certificate issuance for their entire domain is usually :man_facepalming:t2:

1 Like


This is interesting! ! need to check, I don’t know if we can lock certificate issuance on complete domain.
The restricted certificate issuance for entire domain, meaning all sub domains of it ?

If you set a CAA for @ (the domain) then that applies to both the top-level domain and subdomains, you can still add a specific CAA to subdomain.yourdomain.com for a service such as Let’s Encrypt which will restrict the scope for which LE can issue a certificate.


domain.com.    CAA   0 issue "comodoca.com"
sub.domain.dom.    CAA   0  issue "letsencrypt.org"

You can also specify issuewild instead of issue to permit a CA to issue a wildcard certificate, and iodef to associate an email address which will be notified of policy violations.

1 Like

Same problem here. The commands did not resolve the issue. I have changed to cloudflare DNS and proxy. The problem persists for me.

I have done this several times and not experienced this. But I am definitly a non-coder, non-expert, non-everything-related. Just a happy end-user. But this is frustrating.

1 Like

My best guess is that you had cloudflare set to proxy and rebuilt enough times to hit let’s encrypt rate limits and now you have to wait a week to get a certificate.

The fast and simple solution is to choose a new subdomain, set cloudflare DNS only, and rebuild. If that works, then I’m right about the rate limiting and you can either learn to love the new subdomain or wait a week until it’ll let you try again.


Honest question: Is rebuilding still requesting a new certificate every time?


I was just wondering about the same thing, I’m not sure about the request, but no new certificate seems to be issued if one is found valid (just rebuilt a sandbox)


It does if a valid cert doesn’t exist.