I need help with SSL


#1

I am trying to set up a Discourse, but I am stuck on implementing SSL. The Discourse is up and running, and ready in every respect except SSL. I even had a few friends “beta test” it. This is the first time I’ve set up a server of any kind and I have no idea what I’m doing. The instructions for setting up a Discourse were simple enough that I could do them. That was kind of amazing. But the instructions for SSL leave more up to the user. For example, they just say:

Get a signed cert and key and place them in the /var/discourse/shared/standalone/ssl/ folder

I don’t have the first idea of how to place something in a folder, and I don’t even know what to Google. That’s just one step, but it’s like that for the whole series of instructions.


(omfg) #2

In your case the real problem is that you don’t know what you don’t know.
Even if you accomplish what you want, you will likely not know what you should do and haven’t and also won’t know how to maintain the system.

I recommend you to use a paid hosted version or pay someone to do this for you.

Disclaimer: I’m not associated with Discourse and do not provide these services.


(Lee_Ars) #3

The short version is that you need to get an SSL/TLS certificate and key. Here’s how.

The longer version is that SSL/TLS communication between a client (a web browser) and a server (the web server) requires both sides to establish an encrypted connection, and a properly encrypted connection requires the server to be able to prove its identity. After all, an encrypted connection between you and Bob’s web site is significantly less valuable if you can’t be reasonably certain you’re actually talking to Bob’s web site—I could be pretending to be Bob’s web site, and you could be spilling your secrets to me. Or to anyone.

So servers have cryptographic certificates to prove they are who they say they are. These certificates are issued by “certificate authorities,” which are entities (usually companies) that the world collectively has decided are trustworthy and can vouch for the identities of the people and organizations that request certificates from them. Which when you think about it sounds insane—and it is, because ultimately the entire SSL/TLS system is based on trust and it’s a giant house of rotten cards and it’s one of those things where the more you know about it, the less you sleep at night because you realize it’s so fragile that a stiff breeze could destroy the entire thing but ha ha it underpins the global economy so that’s exciting.

Anyway, to offer SSL/TLS on your web site, you need to get an SSL/TLS certificate and its accompanying public/private keypair. To do this, you need to request a certificate from a certificate authority, which will involve you doing some amount of identity validation (some of them will want you to scan and send them a copy of your driver’s license and a recent utility or phone bill, for example). Most will charge you anywhere from a ridiculous to a hilariously ridiculous amount of money, but there are a few that will issue certificates to individuals for low or no cost. My personal recommendation is StartSSL, which I use for SSL on all my sites. They’re free.

Ars Technica ran a good guide several years ago on how to get an SSL/TLS cert from StartSSL, and everything in it is still valid. That’s a good place to start.


#4

I’m just trying to set up a small hobby forum. $100/month is way more than I could ever spend.


(omfg) #5

A friend who knows about Linux could set it up for you for much less (one time fee).


#6

@Lee_Ars, thank you so much!


#7

I finally implemented SSL! Yahooooo! :tangerine:

For any other noobs out there struggling with SSL, I recommend this guide: Running Discourse over HTTPS – Leland Fiegel

P.S. Here’s the site, with SSL working: expandinguniverse.net