Regenerating LetsEncrypt keys from behind nginx

I followed this excellent guide for running Discourse behind nginx: Running other websites on the same machine as Discourse

It worked great. Unfortunately the SSL certificate (via LetsEncrypt) expired after 90 days, and I’m having trouble regenerating it. I tried deleting these two files:


but now sudo nginx -t complains that they don’t exist, and I wasn’t sure how to regenerate them.

launcher rebuild app didn’t fix it at first. But I tried re-enabling these two entries in app.yml:

- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"

and running ./launcher rebuild app did regenerate these files. Unfortunately, one of them is 0 bytes long:

$ ls -l /var/discourse/shared/standalone/ssl/
-rw-r--r-- 1 root root  424 Aug 28 21:09 dhparams.pem
-rw-r--r-- 1 root root    0 Aug 28 21:42
-rw------- 1 root root 3243 Aug 28 21:42

which nginx is not happy with:

$ sudo nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/var/discourse/shared/standalone/ssl/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
nginx: configuration file /etc/nginx/nginx.conf test failed

Our site is down, so if there’s a quick fix to properly regenerate these certificate files, I’d like to hear it. In the long run, is there a better way to set up SSL than what I have here? Should I be using LetsEncrypt on the nginx layer rather than from within Discourse?

Thank you!

Yes. In general, only the outermost layer of your machine needs to deal with SSL.


Thanks for the advice! I solved this by:

  • going to the nginx configuration file and removing the entire server { listen 443 ... } block I had gotten from the above guide
  • running sudo certbot and enabling LetsEncrypt for the site.

I had tried this before, but gave up on it because certbot was giving me an error. Turns out this was because I was running an old version of certbot. Upgrading it with sudo apt update; sudo apt upgrade fixed the issue.

So in short, the advice at the above link is incorrect. Just take the port 80 block in /etc/nginx/sites-available/discourse.conf, and let certbot handle the SSL stuff.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.