Problem in installing Let's Encrypt SSL for www and non-www

Gulshan_Kumar · May 26, 2018, 6:37pm

TLDR: Only one version is working with SSL, either www or non-www, as same as hostname provided while installation.

It’s related to Let’s Encrypt SSL installation as written at Docs.

So, after launching setup it was asked to enter

Hostname for your Discourse? [discourse.example.com]:

So, I typed example.app

Next, after installing Discourse, I am facing one problem that SSL is not working for the www version.
For non-www, it’s works fine.

Ideally, I would like to have SSL for www and non-www version also.

I repeated entire process this time with www.example.com hostname, then SSL for non-www is not working.

What’s I am missing?

itsbhanusharma · May 26, 2018, 6:55pm

An easy solution without much messing with the core will be to run discourse behind an nginx reverse proxy and configuring ssl from there.

Other way (I’m not very sure of it) may be to add a letsencrypt command to the ‘after commands’ in app.yml.

Gulshan_Kumar · May 26, 2018, 7:10pm

My problem is similar to SSL working on root, but not on www
I am not getting whole point. In my case, DNS record is also fine. I followed the step by step instruction, I believe it should work, but it’s not working.

itsbhanusharma · May 26, 2018, 11:28pm

Your topic & the topic you mentioned seem unrelated as discourse generates a valid certificate for the hostname you specify during install, in the other topic, when they install on www, their cert reports as invalid. I don’t think discourse supports multiple domains for standalone install natively.

PoojaPatel · July 7, 2018, 7:31am

Is there any solution for above problem?

Currently i have installed discourse on “example.com”. I have installed lets encrypt on example.com but did not work with www version.

I want to run discourse site as https://www.example.com

How can i do that?

Gulshan_Kumar · July 7, 2018, 8:25am

@PoojaPatel
Assuming, www is your canonical version for Discourse. But you installed Let’s Encrypt only for apex domain.

Here’s fix…

Re-install Discourse
Install SSL for your www because that is your canonical
Restore Discourse backup
Setup Cloudflare
Go to DNS
Enable its DNS only for www CNAME or A record.
However must enable its DNS as well proxy for apex domain
Choose Flexible SSL
Force HTTPS

EXPECTED: HTTPS version should work fine for redirecting users from non-www to www version. Once I fixed SSL error this problem using this method.

Short version without re-installing SSL at www as per your canonical URL, That I cannot recommend.
(Setup Cloudflare proxy completely over www and non-www)

itsbhanusharma · July 7, 2018, 9:11am

An easier solution is to run discourse behind a reverse proxy like nginx and setting up the SSL and appropriate redirects from there as enabling cloudflare for discourse brings in a whole lot of problems on it’s own.

PoojaPatel · July 7, 2018, 3:42pm

When I re-install discourse, is my website hostname as www.example.com?

I have installed discourse One-Click Application from DO. Which method are you recommend, One click or Linux command?

Install SSL for your www because that is your canonical

When i installing SSL from below method, I have not entered my domain details, so where i have to add www version of my website address?

However must enable its DNS as well proxy for apex domain

Pls, can you let me more, how to do above step?

Force HTTPS - which option i have to select because there are three option related to https?

Always use HTTPS
HTTP Strict Transport Security (HSTS)
Automatic HTTPS Rewrites

brahn · July 8, 2018, 5:37am

This is how the Let’s encrypt template requests the certificate:

github.com

discourse/discourse_docker/blob/master/templates/web.letsencrypt.ssl.template.yml#L59


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

Specifically --issue -d $$ENV_DISCOURSE_HOSTNAME meaning that it only issues a request for the hostname given to discourse. In order to get both www and non-www you need to adjust the template to issue more than one -d argument.

Something like as shown here:
(read the replies, some adjustments to the original topic are necessary but I am unable to edit it)

tomtjes · May 25, 2019, 8:24pm

Similar situation here. I installed Discourse on example.com and had a CNAME DNS record for www.example.com.

Now I went to https://check-your-website.server-daten.de and got a bad rating, because the SSL certificate was not valid for www.example.com and also http://www.example.com was forwarding to https://example.com.

Steps I took:

Replace CNAME record for www.example.com by A and AAAA records.

Add www.example.com as an additional domain to app.yml following
Redirect additional domain(s) to your Discourse instance

  after_web_config:
  - replace:
      filename: /etc/nginx/nginx.conf
      from: /sendfile.+on;/
      to: |
        server_names_hash_bucket_size 64;
        sendfile on;
  - file:
      path: /etc/nginx/conf.d/discourse_redirect_1.conf
      contents: |
        server {
          listen 80;
          server_name www.example.com;
          return 301 $scheme://example.com$request_uri;
        }

Adjust SSL following Set up Let’s Encrypt with multiple domains / redirects

after_ssl:
  - replace:
      filename: "/etc/runit/1.d/letsencrypt"
      from: /-k 4096 -w \/var\/www\/discourse\/public/
      to: |
        -d www.example.com -d example.com -k 4096 -w /var/www/discourse/public

  - replace:
      filename: "/etc/runit/1.d/letsencrypt"
      from: /-k 4096 --force -w \/var\/www\/discourse\/public/
      to: |
        -d www.example.com -d example.com -k 4096 --force -w /var/www/discourse/public
  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /return 301 https.+/
      to: |
        return 301 https://$host$request_uri;
  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /gzip on;[^\}]+\}/m
      to: |
        gzip on;
        add_header Strict-Transport-Security 'max-age=31536000';

./launcher rebuild app

Now, the rating for the site has improved, but one issue remains:

Wrong redirect http ⇒ http

Somewhere there’s 301 redirect
http://www.example.com ⇒ http://example.com.
I guess it should be
http://www.example.com ⇒ https://www.example.com ⇒ https://example.com

Any idea how to achieve this?

Brandon_Martus · December 3, 2019, 7:00pm

FYI, for anybody referencing this post, the /etc/runit/1.d/letsencrypt file changed a little over a month ago and the replace regex in these for www and non-www won’t work anymore.

See this post, for updated info: Setting up Let’s Encrypt with Multiple Domains

Topic		Replies	Views
LetsEncrypt working without www, not with www Support	12	1704	February 18, 2020
Set up HTTPS support with Let's Encrypt Self-Hosting how-to , domains	2	107539	February 25, 2024
SSL working on root, but not on www Support	29	4108	December 30, 2021
Setup Let’s Encrypt + non-www > www Sysadmins how-to , domains	4	3189	June 20, 2021
Discourse + Let's Encrypt w/ multiple hostnames Support	9	1302	February 17, 2020

Problem in installing Let's Encrypt SSL for www and non-www

Related topics