I followed this excellent guide for running Discourse behind nginx: Running other websites on the same machine as Discourse
It worked great. Unfortunately the SSL certificate (via LetsEncrypt) expired after 90 days, and I’m having trouble regenerating it. I tried deleting these two files:
/var/discourse/shared/standalone/ssl/forum.mysite.com.cer
/var/discourse/shared/standalone/ssl/forum.mysite.com.key
but now sudo nginx -t
complains that they don’t exist, and I wasn’t sure how to regenerate them.
launcher rebuild app
didn’t fix it at first. But I tried re-enabling these two entries in app.yml
:
- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"
and running ./launcher rebuild app
did regenerate these files. Unfortunately, one of them is 0 bytes long:
$ ls -l /var/discourse/shared/standalone/ssl/
-rw-r--r-- 1 root root 424 Aug 28 21:09 dhparams.pem
-rw-r--r-- 1 root root 0 Aug 28 21:42 forum.mysite.com.cer
-rw------- 1 root root 3243 Aug 28 21:42 forum.mysite.com.key
which nginx is not happy with:
$ sudo nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/var/discourse/shared/standalone/ssl/forum.mysite.com.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE
nginx: configuration file /etc/nginx/nginx.conf test failed
Our site is down, so if there’s a quick fix to properly regenerate these certificate files, I’d like to hear it. In the long run, is there a better way to set up SSL than what I have here? Should I be using LetsEncrypt on the nginx layer rather than from within Discourse?
Thank you!