My website has been running for a long time now, and suddenly today, after checking the traffic analytics noticed that it’s been down for the whole day. tried getting into the website and I get this error:
"Your connection is not private
Attackers might be trying to steal your information from mydomain.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID"
HSTS can be enabled by the origin server, it doesn’t have to be enabled by Cloudflare. If you ticked “force https” in your Discourse site’s settings, then that’ll do it.
If your site is being proxied by Cloudflare, then it’s a problem at their end, and not something wrong with Discourse. Otherwise, check the certificate you’ve configured Discourse to use, and ensure that it matches the name you’re using to access the site.
Yep, I’ve done that on discourse side loooong ago, and it’s been fine since then.
there is no way to contact cloudflare so is there a way I can “untick” the force https box from server side (as i can’t access my admin panel now). that way at least won’t be harmed that much
Yes, but it won’t do any good, as any previous visitor to the site will have remembered that HTTPS is supposed to be enabled, and will fail to connect (as shown in the error you originally pasted).
Define “shared one”.
You’re really not helping us help you here. Please describe your exact setup, including the actual domain name at issue, where you got the certificate from and when, all the servers and proxies in your chain, and so on. Then we might have a hope of spotting what’s gone wrong. At the moment, it’s an endless game of psychic debugging, which is clearly not working.
If you shared your site name then people could look at your certificate and have more information to help you like whether DNS changes have propagated.
My best guess is that whatever certificate you got is expired. Can you say how or where you got it? The instructions you linked to don’t describe how to get a certificate.
The simplest solution would be to turn off cloudflare and rebuild your site with Let’s Encrypt.
You can turn off force_https like this:
cd /var/discourse
./launcher enter app
rails c
SiteSetting.force_https=false
exit
exit
But most browsers (like yours) will remember that the site is supposed to be https and will try very hard not to connect. Or, more elegantly:
That’s a separate error message to “common name invalid”.
Even better, stopbyte.com isn’t emitting that error any more, it’s not saying the cert isn’t trusted, because it’s now presenting the Cloudflare special “Origin Certificate”, which is only trusted by Cloudflare. Put back the certificate you had before, and see what happens.
HSTS specifically takes longer because the browser has retained the instruction. For example on Chrome you can visit chrome://net-internals/#hsts and remove a domain, which will immediately bypass the old HSTS instruction.
Are you referring to the default shared SSL that CloudFlare implements? If not what’s the source?
In your app.yml did you enable support for Let’s Encrypt by uncommenting the entries for web.template.ssl and web.letsencrypt.ssl.template? They’re all you need for HTTPS at the server end. Once they’re working you can safely enable strict HTTPS at CloudFlare.
Phew Thanks a lot, this was really a terribly long day
That solved my problem, I think the issue been that there were tons of tutorials on this website on setting the SSL correctly and I guess I mixed them up.
It will be helpful having one unique simple tutorial (as you put it on your post) on doing this. and taking down the others.