Https with let's encrypt behind a vpn?

Hi everyone,

Here is my situation. I have a discourse setup that is only privately accessible via my Universitie’s VPN. I wanted to know if https with let’s encrypt is going to work, or do i have to go about it a different way. I tried following the ./discouse-setup install method and entered an email to use for let’s encrpt, but the cert files weren’t created properly:

# ls -l /var/discourse/shared/standalone/ssl
total 4
-rw-r--r-- 1 root root    0 Mar 26 17:23 perform-disco.concordia.ca.cer
-rw------- 1 root root 3247 Mar 26 17:23 perform-disco.concordia.ca.key

If i look at ./launcher logs app i see:

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/perform-disco.concordia.ca.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

Any help would be greatly appreciated!

If your server isn’t publicly accessible then Let’s Encrypt can’t verify that the DNS name resolves. If it were possible for servers to get Let’s Encrypt certificates without first verifying this, then all kinds of mischief would be possible.

Even if you can bodge this to temporarily get access and issue a certificate, it will fail for renewals.

VPN can’t help you here.

You’re going to need to either:

  • ask your university if they operate a Certificate Authority and can issue the server a certificate
  • buy a certificate (if you have the right to do so for the DNS name)
  • operate without SSL
3 Likes

Hi Stephen,

Thanks, I was thinking that was the case, I just didn’t know if I could open up access to let’s encrypt on a certain port while keeping the rest private, which is why i was asking.

Is the Discourse server address valid externally? Is it published on a public IP?

If you can make changes to their network to allow ports to reach your server, then yes.

You can’t achieve the same result with a VPN though, which was your question above.

1 Like

Apparently let’s encrypt doesn’t publish the IP ranges that they do their validations from. so we would basically have to open the server to the internet which isn’t a possibility.

I guess i need to buy a cert, and then follow this? Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup

Why do you need a certificate?

Lots of the reasons to use certificates beyond security are diminished when said server is on a private network.

1 Like

Hi @Stephen

We are using LDAP authentication for the discourse. If credentials are stolen then someone could access everything else relating to the student at the University.

Would you know if I follow these instructions: Generating a Certificate Signing Request (CSR) in Ubuntu 16.04 | Liquid Web that is will work with discourse? I’ve setup https before, but never with a docker app, so I’m not sure if I need to do something different.

I hate that. Being able to have a computer with a public IP is critical for your education. That’s how a pretty big search engine company was able to do some initial work. Students really need to be able to learn to develop web applications. But I guess I’ll go back to trying to get those kids off my lawn.

That should work in general. You’d use those instructions to generate a key (but it’ll be self-signed, right? so I don’t think it’d work with your LDAP server) and then use the “advanced ssl setup” to add the keys to Discourse.

1 Like

As you’re at a university you should just be able to use SAML 2.0.

Talk to your University IT, they should already have an approach for this.

1 Like

The students all have computers with public IPs, so they will be busy and not hanging around on your lawn! They can do whatever they want with their machines.

The server that hosts the discourse will be used for research discussions with sensitive information on it.

1 Like

Oh. Hooray. (Then it was just the last university where I worked, and, I don’t work there anymore for some reasons.)

Aha. If this is an Approved Project, it’s likely that your tech folks do have a cert that they can give you. Have you asked them? It might take a few tries to find the person who can do that, but I’d think that whoever you interface with on LDAP would know who that person is.

1 Like

I’m still befuddled by all this talk about LDAP, it was universities who drove the uptake of SAML through shibboleth. This is why that whole toolset exists.

I’m the sysadmin of the server, so i created the CSR, and I will get a certificate signed in a few hours.

@Stephen To be honest, this is the first time I’ve heard of SAML. Everyone else here uses LDAP, so that is why I installed the plugin: https://github.com/jonmbake/discourse-ldap-auth , which i got to work already. Single-sign on is working on our workstations, so switching to SAML makes sense, I’m going to see if’s supported elsewhere at my University.

Awesome!

If everyone uses LDAP, and it’s working, then you’ve made the right decision.

Oh, the downside is that it’s not SSO so they’ll have and extra click to log in? It’d be a huge waste of time to figure out another way to get people to log in. There is a very good chance that if I were in your position I’d spend the 20 hours it might take to save those folks those clicks. :wink:

1 Like

Okay i got it to work! I just had to comment out the let’s encrypt lines that i had added before in my app.yml

Thanks @Stephen and @pfaffman

1 Like

Awesome! So glad you got it figured out.