Here is my situation. I have a discourse setup that is only privately accessible via my Universitie’s VPN. I wanted to know if https with let’s encrypt is going to work, or do i have to go about it a different way. I tried following the ./discouse-setup install method and entered an email to use for let’s encrpt, but the cert files weren’t created properly:
# ls -l /var/discourse/shared/standalone/ssl
total 4
-rw-r--r-- 1 root root 0 Mar 26 17:23 perform-disco.concordia.ca.cer
-rw------- 1 root root 3247 Mar 26 17:23 perform-disco.concordia.ca.key
If your server isn’t publicly accessible then Let’s Encrypt can’t verify that the DNS name resolves. If it were possible for servers to get Let’s Encrypt certificates without first verifying this, then all kinds of mischief would be possible.
Even if you can bodge this to temporarily get access and issue a certificate, it will fail for renewals.
VPN can’t help you here.
You’re going to need to either:
ask your university if they operate a Certificate Authority and can issue the server a certificate
buy a certificate (if you have the right to do so for the DNS name)
Thanks, I was thinking that was the case, I just didn’t know if I could open up access to let’s encrypt on a certain port while keeping the rest private, which is why i was asking.
Apparently let’s encrypt doesn’t publish the IP ranges that they do their validations from. so we would basically have to open the server to the internet which isn’t a possibility.
We are using LDAP authentication for the discourse. If credentials are stolen then someone could access everything else relating to the student at the University.
I hate that. Being able to have a computer with a public IP is critical for your education. That’s how a pretty big search engine company was able to do some initial work. Students really need to be able to learn to develop web applications. But I guess I’ll go back to trying to get those kids off my lawn.
That should work in general. You’d use those instructions to generate a key (but it’ll be self-signed, right? so I don’t think it’d work with your LDAP server) and then use the “advanced ssl setup” to add the keys to Discourse.
The students all have computers with public IPs, so they will be busy and not hanging around on your lawn! They can do whatever they want with their machines.
The server that hosts the discourse will be used for research discussions with sensitive information on it.
Oh. Hooray. (Then it was just the last university where I worked, and, I don’t work there anymore for some reasons.)
Aha. If this is an Approved Project, it’s likely that your tech folks do have a cert that they can give you. Have you asked them? It might take a few tries to find the person who can do that, but I’d think that whoever you interface with on LDAP would know who that person is.
I’m still befuddled by all this talk about LDAP, it was universities who drove the uptake of SAML through shibboleth. This is why that whole toolset exists.
I’m the sysadmin of the server, so i created the CSR, and I will get a certificate signed in a few hours.
@Stephen To be honest, this is the first time I’ve heard of SAML. Everyone else here uses LDAP, so that is why I installed the plugin: https://github.com/jonmbake/discourse-ldap-auth , which i got to work already. Single-sign on is working on our workstations, so switching to SAML makes sense, I’m going to see if’s supported elsewhere at my University.
If everyone uses LDAP, and it’s working, then you’ve made the right decision.
Oh, the downside is that it’s not SSO so they’ll have and extra click to log in? It’d be a huge waste of time to figure out another way to get people to log in. There is a very good chance that if I were in your position I’d spend the 20 hours it might take to save those folks those clicks.