Problema al instalar SSL de Let's Encrypt para www y no-www

Gulshan_Kumar · 26 Mayo, 2018 18:37

TLDR: Solo una versión funciona con SSL, ya sea www o sin www, igual que el nombre de host proporcionado durante la instalación.

Esto está relacionado con la instalación de SSL de Let’s Encrypt, como se describe en la documentación.

Por lo tanto, después de iniciar la configuración, se solicitó ingresar:

Nombre de host para tu Discourse? [discourse.example.com]:

Así que escribí example.app.

A continuación, después de instalar Discourse, me encuentro con un problema: SSL no funciona para la versión www.
Para la versión sin www, funciona correctamente.

Idealmente, me gustaría tener SSL tanto para la versión www como para la versión sin www.

Esta vez repetí todo el proceso con el nombre de host www.example.com, y ahora SSL no funciona para la versión sin www.

¿Qué estoy omitiendo?

itsbhanusharma · 26 Mayo, 2018 18:55

An easy solution without much messing with the core will be to run discourse behind an nginx reverse proxy and configuring ssl from there.

Other way (I’m not very sure of it) may be to add a letsencrypt command to the ‘after commands’ in app.yml.

Gulshan_Kumar · 26 Mayo, 2018 19:10

My problem is similar to SSL working on root, but not on www
I am not getting whole point. In my case, DNS record is also fine. I followed the step by step instruction, I believe it should work, but it’s not working.

itsbhanusharma · 26 Mayo, 2018 23:28

Your topic & the topic you mentioned seem unrelated as discourse generates a valid certificate for the hostname you specify during install, in the other topic, when they install on www, their cert reports as invalid. I don’t think discourse supports multiple domains for standalone install natively.

PoojaPatel · 7 Julio, 2018 07:31

Is there any solution for above problem?

Currently i have installed discourse on “example.com”. I have installed lets encrypt on example.com but did not work with www version.

I want to run discourse site as https://www.example.com

How can i do that?

Gulshan_Kumar · 7 Julio, 2018 08:25

@PoojaPatel
Assuming, www is your canonical version for Discourse. But you installed Let’s Encrypt only for apex domain.

Here’s fix…

Re-install Discourse
Install SSL for your www because that is your canonical
Restore Discourse backup
Setup Cloudflare
Go to DNS
Enable its DNS only for www CNAME or A record.
However must enable its DNS as well proxy for apex domain
Choose Flexible SSL
Force HTTPS

EXPECTED: HTTPS version should work fine for redirecting users from non-www to www version. Once I fixed SSL error this problem using this method.

Short version without re-installing SSL at www as per your canonical URL, That I cannot recommend.
(Setup Cloudflare proxy completely over www and non-www)

itsbhanusharma · 7 Julio, 2018 09:11

An easier solution is to run discourse behind a reverse proxy like nginx and setting up the SSL and appropriate redirects from there as enabling cloudflare for discourse brings in a whole lot of problems on it’s own.

PoojaPatel · 7 Julio, 2018 15:42

When I re-install discourse, is my website hostname as www.example.com?

I have installed discourse One-Click Application from DO. Which method are you recommend, One click or Linux command?

Install SSL for your www because that is your canonical

When i installing SSL from below method, I have not entered my domain details, so where i have to add www version of my website address?

However must enable its DNS as well proxy for apex domain

Pls, can you let me more, how to do above step?

Force HTTPS - which option i have to select because there are three option related to https?

Always use HTTPS
HTTP Strict Transport Security (HSTS)
Automatic HTTPS Rewrites

brahn · 8 Julio, 2018 05:37

This is how the Let’s encrypt template requests the certificate:

github.com/discourse/discourse_docker

templates/web.letsencrypt.ssl.template.yml

master


      
                  }
                }
              }
          
          - file:
             path: /etc/runit/1.d/letsencrypt
             chmod: "+x"
             contents: |
              #!/bin/bash
              /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
          
              issue_cert() {
                LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue $2 -d $$ENV_DISCOURSE_HOSTNAME --keylength $1 -w /var/www/discourse/public
              }
          
              cert_exists() {
                [[ "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME$1 && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]]
              }
          
              ########################################################
              # RSA cert

Specifically --issue -d $$ENV_DISCOURSE_HOSTNAME meaning that it only issues a request for the hostname given to discourse. In order to get both www and non-www you need to adjust the template to issue more than one -d argument.

Something like as shown here:
(read the replies, some adjustments to the original topic are necessary but I am unable to edit it)

tomtjes · 25 Mayo, 2019 20:24

Similar situation here. I installed Discourse on example.com and had a CNAME DNS record for www.example.com.

Now I went to https://check-your-website.server-daten.de and got a bad rating, because the SSL certificate was not valid for www.example.com and also http://www.example.com was forwarding to https://example.com.

Steps I took:

Replace CNAME record for www.example.com by A and AAAA records.

Add www.example.com as an additional domain to app.yml following
Redirect additional domain(s) to your Discourse instance

  after_web_config:
  - replace:
      filename: /etc/nginx/nginx.conf
      from: /sendfile.+on;/
      to: |
        server_names_hash_bucket_size 64;
        sendfile on;
  - file:
      path: /etc/nginx/conf.d/discourse_redirect_1.conf
      contents: |
        server {
          listen 80;
          server_name www.example.com;
          return 301 $scheme://example.com$request_uri;
        }

Adjust SSL following Set up Let’s Encrypt with multiple domains / redirects

after_ssl:
  - replace:
      filename: "/etc/runit/1.d/letsencrypt"
      from: /-k 4096 -w \/var\/www\/discourse\/public/
      to: |
        -d www.example.com -d example.com -k 4096 -w /var/www/discourse/public

  - replace:
      filename: "/etc/runit/1.d/letsencrypt"
      from: /-k 4096 --force -w \/var\/www\/discourse\/public/
      to: |
        -d www.example.com -d example.com -k 4096 --force -w /var/www/discourse/public
  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /return 301 https.+/
      to: |
        return 301 https://$host$request_uri;
  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /gzip on;[^\}]+\}/m
      to: |
        gzip on;
        add_header Strict-Transport-Security 'max-age=31536000';

./launcher rebuild app

Now, the rating for the site has improved, but one issue remains:

Wrong redirect http ⇒ http

Somewhere there’s 301 redirect
http://www.example.com ⇒ http://example.com.
I guess it should be
http://www.example.com ⇒ https://www.example.com ⇒ https://example.com

Any idea how to achieve this?

Brandon_Martus · 3 Diciembre, 2019 19:00

FYI, for anybody referencing this post, the /etc/runit/1.d/letsencrypt file changed a little over a month ago and the replace regex in these for www and non-www won’t work anymore.

See this post, for updated info: Setting up Let’s Encrypt with Multiple Domains

Tema		Respuestas	Vistas
LetsEncrypt working without www, not with www Support	12	1873	18 Febrero 2020
SSL working on root, but not on www Support	29	4297	30 Diciembre 2021
SSL is not valid for www.domain.com Self-hosting	22	307	15 Enero 2025
Setup Let’s Encrypt + non-www > www Sysadmins how-to , domains	5	3355	23 Febrero 2025
Non www to www without certificate error Self-hosting	14	1875	16 Febrero 2022

Problema al instalar SSL de Let's Encrypt para www y no-www

Temas relacionados