Regenerating LetsEncrypt keys from behind nginx


#1

I followed this excellent guide for running Discourse behind nginx: Running other websites on the same machine as Discourse

It worked great. Unfortunately the SSL certificate (via LetsEncrypt) expired after 90 days, and I’m having trouble regenerating it. I tried deleting these two files:

/var/discourse/shared/standalone/ssl/forum.mysite.com.cer
/var/discourse/shared/standalone/ssl/forum.mysite.com.key

but now sudo nginx -t complains that they don’t exist, and I wasn’t sure how to regenerate them.

launcher rebuild app didn’t fix it at first. But I tried re-enabling these two entries in app.yml:

- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"

and running ./launcher rebuild app did regenerate these files. Unfortunately, one of them is 0 bytes long:

$ ls -l /var/discourse/shared/standalone/ssl/
-rw-r--r-- 1 root root  424 Aug 28 21:09 dhparams.pem
-rw-r--r-- 1 root root    0 Aug 28 21:42 forum.mysite.com.cer
-rw------- 1 root root 3243 Aug 28 21:42 forum.mysite.com.key

which nginx is not happy with:

$ sudo nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/var/discourse/shared/standalone/ssl/forum.mysite.com.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
nginx: configuration file /etc/nginx/nginx.conf test failed

Our site is down, so if there’s a quick fix to properly regenerate these certificate files, I’d like to hear it. In the long run, is there a better way to set up SSL than what I have here? Should I be using LetsEncrypt on the nginx layer rather than from within Discourse?

Thank you!


(Matt Palmer) #2

Yes. In general, only the outermost layer of your machine needs to deal with SSL.


#3

Thanks for the advice! I solved this by:

  • going to the nginx configuration file and removing the entire server { listen 443 ... } block I had gotten from the above guide
  • running sudo certbot and enabling LetsEncrypt for the site.

I had tried this before, but gave up on it because certbot was giving me an error. Turns out this was because I was running an old version of certbot. Upgrading it with sudo apt update; sudo apt upgrade fixed the issue.

So in short, the advice at the above link is incorrect. Just take the port 80 block in /etc/nginx/sites-available/discourse.conf, and let certbot handle the SSL stuff.


(system) #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.