Set up HTTPS support with Let's Encrypt

Documentation Self-Hosting
,
1

:bookmark: This is a guide for enabling HTTPS on an existing Discourse installation using Let’s Encrypt. It assumes prior installation without HTTPS enabled.

:person_raising_hand: Required user level: System Administrator

:exclamation: This guide is only for existing installs where HTTPS is not enabled. Following the official setup guide automatically enables HTTPS by default.

So you’d like to add https to your Discourse absolutely free, courtesy of our friends at Let’s Encrypt?

:bell: Is everything else on your site ready for HTTPS?

Before you start, please bear in mind that for HTTPS to work properly, every single resource on the page must be HTTPS compatible. Consider your CDN, your social logins, your logo files, any third party JavaScript, images, fonts, or css — these all must be available over HTTPS!

Note: ./discourse-setup will enable Let’s Encrypt. And as of March 2017, you can run it again, and press return a few times and enter your email address ; the script will include the required templates and insert your email address as required. Unless you are an expert sysadmin and know a reason not to do that, you should run discourse-setup rather than read any further. (If you installed Discourse a long time ago, you might still have to edit app.yml by hand.)

Note: If your Discourse is accessed via some reverse proxy (e.g., Cloudflare) this configuration will not work.

Configure HTTPS with Let’s Encrypt

1. Edit app.yml

Access your Discourse’s configuration file:

cd /var/discourse
nano containers/app.yml
  • Add the following templates:
    templates:
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

:warning: Is Discourse the only website on your server?

If you are already using web.socketed.template.yml, because you host other websites via port 80 on the same server, stop. You should be using a Let’s Encrypt client on the host system; the validation will fail as the client used is unable to bind to the necessary sockets.

2. Expose HTTPS ports

Ensure the following ports are exposed for HTTPS traffic:

expose:
  - "80:80"
  - "443:443"

3. Add email for Let’s Encrypt

Insert the email address for Let’s Encrypt notifications:

env:
  LETSENCRYPT_ACCOUNT_EMAIL: 'your-email@example.com'

4. Rebuild the application

Apply the changes by rebuilding the container:

./launcher rebuild app

5. Validate HTTPS

Access your site via https://yourdomain.com. If successful, you’ll see your site secured with HTTPS.

Review your resources:

  • Ensure assets (e.g., images, scripts) load over HTTPS.
  • Reconfigure social logins and CDN for HTTPS as required.
  • Address any warnings in the browser console about insecure assets.

Discourse automatically enables force_https after a rebuild with a valid HTTPS certificate.

How does it work?

The template uses GitHub - acmesh-official/acme.sh: A pure Unix shell script ACME client for SSL / TLS certificate automation · GitHub which is

Simplest shell script for LetsEncrypt free Certificate client

Simple and Powerful, you only need 3 minutes to learn.

Pure written in bash, no dependencies to python , acme-tiny or LetsEncrypt official client. Just one script, to issue, renew your certificates automatically.

Probably it’s the smallest&easiest&smartest shell script to automatically issue&renew the free certificates from LetsEncrypt.

web.letsencrypt.ssl.template.yml adds a boot script to your container that

  1. Starts a lightweight nginx to serve ACME challenges on port 80 before the main nginx is up.
  2. Issues both an RSA (4096-bit) and an ECDSA (ec-256) Let’s Encrypt certificate using webroot mode with /var/www/discourse/public as the directory.
  3. Installs the certificates into the /shared/ssl/ directory that nginx expects. At the same time, it sets up a cron job for automatic certificate renewal. This will automatically renew your certs. Nothing happens if certs have not expired. If a certificate does expire, you’ll get an email about it from Let’s Encrypt at the email address you provided during setup.
  4. Sets force_https to true if valid certificates are obtained.

Troubleshooting

Checking logs

If HTTPS doesn’t work, check logs for SSL or Let’s Encrypt errors with:

./launcher logs app

Verifying certification files

Ensure certificate and key files are in place with:

ls -l /var/discourse/shared/standalone/ssl

You should see files like:

  • yourdomain.com.cer (RSA)
  • yourdomain.com.key (RSA)
  • yourdomain.com_ecc.cer (ECDSA)
  • yourdomain.com_ecc.key (ECDSA)

Renewing certificates manually

If auto-renewal fails, you can manually reissue your certificates:

./launcher enter app
sv stop nginx
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
LE_WORKING_DIR=/shared/letsencrypt DEBUG=1 /shared/letsencrypt/acme.sh --issue -d example.com -k 4096 -w /var/www/discourse/public
LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --installcert -d example.com --fullchainpath /shared/ssl/example.com.cer --keypath /shared/ssl/example.com.key --reloadcmd "sv reload nginx"
LE_WORKING_DIR=/shared/letsencrypt DEBUG=1 /shared/letsencrypt/acme.sh --issue -d example.com --keylength ec-256 -w /var/www/discourse/public
LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --installcert --ecc -d example.com --fullchainpath /shared/ssl/example.com_ecc.cer --keypath /shared/ssl/example.com_ecc.key --reloadcmd "sv reload nginx"
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop

Rebuilding with clean certs

Remove old certificate files and rebuild to start afresh:

rm -rf /var/discourse/shared/standalone/ssl
rm -rf /var/discourse/shared/standalone/letsencrypt
./launcher rebuild app

Limitations

Let’s Encrypt certificates only validate the domain and encryption. They don’t confirm ownership or identity, which may be flagged in some browsers. For more details, refer to the Let’s Encrypt community.

Last edited by @SaraDev 2024-12-06T21:47:31Z

Check documentPerform check on document:
143 Likes
Setting up Let's Encrypt for multisite
How should I enable letsencrypt while discourse is beside other websites
Cant setting SLL (Let's Encrypt) for Discourse
Add to homescreen banner on Android
How to Set Up SSL in Discourse
Setting up SSL with my domain name and Discourse instance
Issue installing on subdomain
Completely automated SSL certificate generation
German 1&1-hosting user experience?
Problem with my SSL certificate
Replacement for whitelist-iframe
Site throws a blank screen after trying to enable LetsEncrypt
Missing file(discourse.conf) when launching after lets encrypt update?
Missing file(discourse.conf) when launching after lets encrypt update?
My discourse has either been hacked or catfished?
Discourse has stopped opening
Using a certificate when Discourse is installed behind a reverse proxy
Can discourse be installed in private mode
My Forum Is showing "Privacy Error" after upgrading SSL certificate
Using a certificate when Discourse is installed behind a reverse proxy
Why my forum not pop-up "Add to Home screen"(PWA) automatically?
Why my forum not pop-up "Add to Home screen"(PWA) automatically?
HTTPS : issue while trying to set up SSL certification
HTTPS : issue while trying to set up SSL certification
SSL received a record that exceeded the maximum permissible length
Discourse site loads via IP but via domain only header
Why is the Apple Touch Icon loaded via HTTP instead of HTTPS?
Defaultish app won't rebuild
Why is the Apple Touch Icon loaded via HTTP instead of HTTPS?
Why is the Apple Touch Icon loaded via HTTP instead of HTTPS?
Defaultish app won't rebuild
Unable to connect Discourse and WordPress
I have a very difficult problem installing ssl - please help
Not able to access site after letsencrypt cert expiry and rebuild due to IPV6
Cannot connect to IP address and no errors in log
Http logo urls after enabling LetsEncrypt
How to install SSL certificate in Discourse
White blank page on mobile app
Cloud installation not working
My forum goes offline after removing https
Trying to use Let's Encrypt + Cloudflare
New user invite links only give ERR_SSL_PROTOCOL_ERROR
[DigitalOcean] hostname having "www" in A records showing blank page
Error at LetsEncrypt validation
Migrate a phpBB3 forum to Discourse
Set Up Let's Encrypt with Second Domain for Existing Discourse Install
Not starting up after rebuild
Port 443 of computer does not appear to be accessible
Make auto-linked URLs use HTTPS
Unable to change domain name
LetsEncrypt certificate not renewing
How to deny request from unauthorized domain pointing to my IP address?
No login is possible after recovery a Discourse Backup on a new server
Letsencrypt issued on every build?
My Discourse is Down. Certificate Issue?
Setup Let’s Encrypt + non-www > www
No connection accepted on http / https after fresh installation on Ubuntu 22.04 LTS
SSL certificate expired and after that - Error 404 Not Found
SSL didn't renew automatically and I can't manually renew it
443 address already in use? Letencrypt
Set up Let’s Encrypt with multiple domains / redirects
Using Discourse with Cloudflare: Best Practices
./launcher rebuild app error bootstrap failed with exit code 125
Set up Let’s Encrypt with multiple domains / redirects
Uncaught ReferenceError: Discourse is not defined due to Cloudflare Rocket Loader
Let's Encrypt SSL Certificate Not Renewing
Uploads paths have 80 port but protocol is https
Bootstrap error during Discourse install: ENOENT - /etc/runit/1.d/letsencrypt
How to install Discourse in the AWS EC2 Instances(Ubuntu Server LTS)?
Question about the email configuration
Discourse-saml: There was an error authorizing your account
Problem in installing Let's Encrypt SSL for www and non-www
Email not sending out after installation. I need help please
Discourse not starting up: nginx: unable to open supervise/ok: file does not exist
Failed to bootstrap: Failure with receiving network data
Error when installing ssl Let's Encrypt
How to adjust dependencies for https?
Clicking links is stuck in click tracking, shows ERR_FAILED
Minimum needed to get LetsEncrypt working on a GCE instance
Can we install discourse in another container distro?
Problem with my SSL certificate
Cant setting SLL (Let's Encrypt) for Discourse
[PAID] setup ssl - Let's encrypt
Error after moving from HTTP to HTTPS
How to renew Let's Encrypt?
ServiceWorker script evaluation failed due to HTTP (not HTTPS)
Defaultish app won't rebuild
Too many redirects after enabling https
414

What is the difference between the certificates in the standalone/letsencrypt folder the standalone/ssl folders?

In the letsencrypt folder I see two sub folders for the site with certificates, one with the sitename (RSA) and other with the sitename_ecc (ECC)

Then I see another ssl folder which also seems to have .key and .cer certificates with the same names the certificate in the letsencrypt sitename and sitename_ecc folders.

However, the timestamps of all the files in the ssl folder and different from the timestamps in the letsencrypt folders and importantly the .cer certificate file sizes in the ssl folder are different from the file sizes of .cer files in the letsencrypt folders.

image
image1036×470 15.8 KB

So my questions are:

  • what’s the difference between the files in the ssl and letsencrypt folders
  • which one is used by discourse
  • if the folders in the ssl folder are corrupted/deleted can they be replaced with the files from the letsencrypt folder? (this is important because I ran into a situation where while restoring a site, letsencrypt was unable to get replacement certificates due to excessive restores but I had a valid copy of working certificates from the letsencrypt folder from an image backup).
1 Like
Can't get Ruby to update so ./launcher rebuild app keeps failing
415

@tgxworld
Can LE_WORKING_DIR=/shared/letsencrypt DEBUG=1 /shared/letsencrypt/acme.sh --issue -d example.com -k 4096 -w /var/www/discourse/public be changed to -d example.com -d www.example.com to support SSL certificates for two domain names?