Renewing letsencrypt with Cloudflare


(James) #1

Not being a developer, I’m still learning how Discourse works.

Right now, I’m not able to renew my letsencrypt certs when Cloudflare is enabled. When I generated my certs, I didn’t have Cloudflare enabled and I used the --standalone. Looks like to renew certs with CF, I need to use --webroot.

However.

letencrypt wants a path to nginx. Which, on my instance of discourse, I can’t find.

So two questions: 1) Where is nginx at? (or is bundled inside of the “discourse service?” and 2) any ideas on how to renew letencrypt certs when using cloudflare?


(Sander Datema) #2

When using Cloudflare you don’t need Letsencrypt. Cloudflare can handle SSL for you.


(Robin Ward) #3

I assume you are running Discourse using docker. In that case, the webroot is not visible to the outside world as it exists within the container.

For my own letsencrypt sites, I run discourse in a container but bind it to a port like 8080 instead by editing app.yml and changing the expose to be 8080:80

Then I install nginx outside of docker, and have it proxy to 8080. You can follow basic instructions to do that here.

The nginx installation outside of docker has a webroot of /usr/share/nginx/html which can happily be used by letsencrypt to renew.


(James) #4

Which is fine for most of the time. However, when I bypass CloudFlare (like say for Login/Password), I want a valid SSL certificate.


(James) #5

I run discourse in a container but bind it to a port like 8080...install nginx outside of docker, and have it proxy to 8080

I’m not sure I follow how this works. So you have discourse bind to the same port that the second copy of nginx binds to? And then what about 443 for SSL connections?

I guess I just need to install a second instance of nginx and shutdown discourse when I renew the letsencrypt cert.


(Robin Ward) #6

You run two copies of nginx. One is inside Discourse’s docker container. I tell it to run on port 8080.

On the nginx outside of docker, I run on port 80, and have it proxy to 8080 on the same machine, applying the let’s encrypt certificate in the process.


(James) #7

Ah… discourse is on 8080, but advertises it is on 80. 2nd-nginx is on 80, but a proxy for 8080 (which is discourse.)

right?


(Robin Ward) #8

Almost. Discourse runs on port 80 in the docker container, but on 8080 outside the container. Nginx runs outside the container on port 80, proxying to port 8080.


(James) #9

Okay. That’s what I wasn’t understanding. Thanks.