Nope, no additional install.
Also, the only block I needed to add is:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d mywebsite.org --keylength"
(http to https redirect seems to be working fine without the two other replace blocks, those with nginx)
So Iâve finally found time to work through the âSetting up Letâs Encrypt with Multiple Domainsâ and âRedirect single/multiple domain(s) to your Discourse instanceâ guides.
Iâve added a lot more to my containers/app.yml file than you did and nearly everything works correctly.
My Discourse is hosted on the www. subdomain and my goal was to redirect http and https requests from the apex domain to the www subdomain. This now works but if I go to https://mydomain.com, it does redirect but Chrome the following warning in the console:
Redirecting navigation example.com -> www.example.com because the server presented a certificate valid for www.example.com but not for example.com. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
Hereâs my app.yml additions:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d example.com -d www.example.com --keylength"
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /return 301 https.+/
to: |
return 301 https://$host$request_uri;
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /gzip on;[^\}]+\}/m
to: |
gzip on;
add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain
after_web_config:
- replace:
filename: /etc/nginx/nginx.conf
from: /sendfile.+on;/
to: |
server_names_hash_bucket_size 64;
sendfile on;
- file:
path: /etc/nginx/conf.d/discourse_redirect_1.conf
contents: |
server {
listen 80;
listen 443 ssl;
server_name example.com;
return 301 https://www.example.com$request_uri;
}
Does this look correct? If so, is there a solution to the certificate name mismatch problem?
EDIT: I have two A Records, one for the www subdomain and another using @ to catch all requests to the apex domain. Both point to my Digital ocean droplet IP. I assume this is also correct?
Thanks.
Free to implement, even if cloudflare isnât your registrar. Works with https, zero additional complexity in your discourse install.
Thanks, I am not currently using Cloudflare so hadnât come across those before. I went a different route and followed the guides above and mostly managed to solve my problem. You posted just as I submitted my reply above.
Please check this website; does it have all the redirects you need? Itâs done with only one replace block (see above) and this DNS setup (Iâve only redacted the email TXT records):
I get no warning in the console.
Yep, just be prepared for it to break when the letsencrypt configuration changes.
When Lets encrypt was updated to support elliptical curve the approach youâre relying on above was broken for a couple of weeks.
The only difference is I do not have the CAA record in my DNS. Iâll add it using the same value youâve used.
I assume your discourse hostname is www.example.com, are you certain you do not get a warning when you access https://example.com?
The warning is even more severe with Chrome on Android, it blocks the site completely and doesnât redirect.
Youâve lost me now 
What do I need to watch out for/be prepared to fix?
Correct.
Yes I am, no warning in the console.
I think I found the issue, I had this:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d example.com -d www.example.com --keylength"
When I should have had:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d example.com --keylength"
Notice the last line, I had example.com and www.example.com
I also changed return 301 https://$host$request_uri; to return 301 $scheme://$host$request_uri; a rebuild later and it seems to be working.
Now Iâm just concerned about what @Stephen mentioned about it breaking when letsencrypt configuration changesâŚ
A change on September 9th last year broke the approach youâre following, and because the implementation falls outside of the standard install it wasnât until the October 31st that a solution was published. If you look at the topic you followed and the edit history on the wiki itâs clearly documented.
As youâre not doing something which necessitates getting elbow-deep in additional configuration, I would advise against it. OTOH when Letâs Encrypt does change and youâre affected, we can refer you back to this topic.