Set up Let’s Encrypt with multiple domains / redirects

Oh, wow, finally it worked:

true | openssl s_client -connect www.starzen.space:443 2>/dev/null \
| openssl x509 -noout -text \
| perl -l -0777 -ne '@names=/\bDNS:([^\s,]+)/g; print join("\n", sort @names);'
starzen.space
www.starzen.space

I commented out the if statements in the letsencrypt script to force a re-issue. This is not a ‘factory’ solution, though, of course.

However, it suggests there was an issue with ‘state’ rather than the options supplied.

Looks like the current script can get tripped up depending on prior state but if you force a reissue you can fix it.

But now I have a working apex domain!

It is part of the standard install. See User Guide — Certbot 2.11.0 documentation and scroll down to Managing Certificates and also immediately below that, Re-creating and Updating Existing Certificates.

These commands would be run from where you ran Certbot to begin with.

I have a standard install and certbot is not in use. Not on ”normal” server-lever, neither if I say first ./launcher enter app.

I reckon it is missing because of acme.sh.

I think I’m running into a similar problem. I thought it was because I used a sub-subdomain (Let's Encrypt with sub-subdomain?) but I tried it with a regular subdomain and the cert is still not generating for the new site.

I’m trying to figure out how you hacked it to work, but I can’t seem to follow

What did you do to make it work for you?

If it was this, which of the if statements did you comment out?

Also, any idea what might be causing this new issue?

So my problem was related to an expired domain name in my multisite configuration:

Hi @Brahn,

Thanks for the recent update to your instructions.

I was seeing a certificate error after pointing my root domain to a subdomain. I’ve updated my app.yml file with the newer version you wanted tested, and the issue is resolved.

I’ve just had to implement this too, after changing domains and having the redirect fail.

Have made a minor tweak to the wiki, removing the old instructions and correcting the spaces in the new.

However, it doesn’t seem to have worked thusfar. I suspect that I need to force a new certificate issue. Can anyone guide me as to how to do that easily?

I’m pretty sure that I just did a rebuild. It could be that something changed again. You still have the old cert? What’s the host name? You can pm me if you want

Thanks Jay - forum.hinz.org.nz is the old domain (and ehealthforum.nz the new one).

I did a rebuild, (just web_only as 2-container) but that didn’t seem to fix it.

You also changed the host name? Did you Change the domain name or rename your Discourse?

Unsolicited advice: Best Practice seems to be to go with the www rather than the apex domain. The browsers I use make it almost impossible to tell that the www is there.

My only guess is that the trailing space inside the quotes is significant and you don’t have it?

I think I’d go into the container and poke around and try to run acme the way that it does and see what happens; I can never remember how to do that or where to look for the acme commad; I have to figure it out every time, so I can’t tell you. You might be able to see from docker logs web_only.

I swear this worked whenever it was that I last edited this. I did just check the site that I applied it to and it does seem to have its extra valid cert working. But it’s conceivable that it’s got a different base image than exists now and it’ll get broken at the next rebuild.

I’ll try to check this out again when I get a chance, Maybe next week.

Yup - did all that with no problems.

Indeed - but only worth doing if you plan to use a CDN or subdomains (I don’t):

Tried adding that, but it didn’t make a difference.

This implies that if I can’t find a way to force it to renew, I’ll be waiting until 2023-10-26T08:24:00Z before the problem fixes itself!

I’m going to try a few things - wish me luck.

later…

Success!

Well, after trying and failing several times to kick start the certificate renewal, I eventually moved to a new server (this was already planned).

Low and behold, this actually renewed the certificate perfectly with the settings in the OP. Go figure.

I’m not sure how to do this better in future. Perhaps establish your DNS settings from your new domain a month or two early, and get those lines into your app.yml then.

I added this do my app.yml file, do I have to rebuild? or does it just work?
also in the
“from: /-d www.first-domain.com/” do i put the domain i want to redirect or my subdomain?

Yes, any changes in app.yml usually require a rebuild.

I rebuild and now my site cant be reached. should i rebuild again?
it says this after the rebuild

"Pups::ExecError: cd /var/www/discourse && su discourse -c 'bundle exec rake themes:update assets:precompile' failed with return #<Process::Status: pid 3575 exit 134>
Location of failure: /usr/local/lib/ruby/gems/3.2.0/gems/pups-1.2.1/lib/pups/exec_command.rb:132:in `spawn'
exec failed with the params {"cd"=>"$home", "hook"=>"assets_precompile", "cmd"=>["su discourse -c 'bundle exec rake themes:update assets:precompile'"]}
bootstrap failed with exit code 134
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one."

Did the rebuild process go smoothly without any errors?

Please do this, and share the errors error messages.

110:M 10 Dec 2023 13:32:18.543 # Server initialized
110:M 10 Dec 2023 13:32:18.543 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
110:M 10 Dec 2023 13:32:18.544 * Loading RDB produced by version 7.0.7

I got these warnings, not sure if thats important.

warning " > @glint/environment-ember-loose@1.1.0" has unmet peer dependency "@glimmer/component@^1.1.2".
warning " > @glint/environment-ember-template-imports@1.1.0" has unmet peer dependency "ember-template-imports@^3.0.0".
warning Resolution field "unset-value@2.0.1" is incompatible with requested version "unset-value@^1.0.0"
warning Pattern ["wrap-ansi@^7.0.0"] is trying to unpack in the same destination "/home/discourse/.cache/yarn/v6/npm-wrap-ansi-cjs-7.0.0-67e145cff510a6a6984bdf1152911d69d2eb9e43-integrity/node_modules/wrap-ansi-cjs" as pattern ["wrap-ansi-cjs@npm:wrap-ansi@^7.0.0"]. This could result in non-deterministic behavior, skipping.
warning " > discourse-markdown-it@1.0.0" has unmet peer dependency "xss@*".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse > @ember/legacy-built-in-components@0.5.0" has incorrect peer dependency "ember-source@>= 4.8".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse > @uppy/aws-s3@3.0.6" has incorrect peer dependency "@uppy/core@^3.1.2".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse > @uppy/aws-s3-multipart@3.1.3" has incorrect peer dependency "@uppy/core@^3.1.2".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse > @uppy/xhr-upload@3.1.1" has incorrect peer dependency "@uppy/core@^3.1.2".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse-plugins > ember-this-fallback@0.4.0" has unmet peer dependency "ember-source@^3.28.11 || ^4.0.0".
warning "workspace-aggregator-68bace53-129d-4a2d-85c3-4685b91c92ee > discourse > @uppy/aws-s3 > @uppy/xhr-upload@3.3.0" has incorrect peer dependency "@uppy/core@^3.2.1".

<--- Last few GCs --->

[3710:0x6291170]   681247 ms: Scavenge 942.0 (1034.0) -> 940.8 (1034.0) MB, 62.9 / 0.0 ms  (average mu = 0.704, current mu = 0.878) allocation failure;
[3710:0x6291170]   681616 ms: Scavenge 942.4 (1034.0) -> 941.4 (1034.0) MB, 18.3 / 0.0 ms  (average mu = 0.704, current mu = 0.878) allocation failure;
[3710:0x6291170]   681911 ms: Scavenge 943.0 (1034.0) -> 942.0 (1038.0) MB, 46.8 / 0.0 ms  (average mu = 0.704, current mu = 0.878) allocation failure;

FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
 1: 0xb83f50 node::Abort() [ember]
 2: 0xa94834  [ember]
 3: 0xd647c0 v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [ember]
 4: 0xd64b67 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [ember]
 5: 0xf42265  [ember]
 6: 0xf5474d v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [ember]
 7: 0xf2ee4e v8::internal::HeapAllocator::AllocateRawWithLightRetrySlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [ember]
 8: 0xf30217 v8::internal::HeapAllocator::AllocateRawWithRetryOrFailSlowPath(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [ember]
 9: 0xf113ea v8::internal::Factory::NewFillerObject(int, v8::internal::AllocationAlignment, v8::internal::AllocationType, v8::internal::AllocationOrigin) [ember]
10: 0x12d674f v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) [ember]
11: 0x17035b9  [ember]
Aborted (core dumped)
error Command failed with exit code 134.

and my site says

This site can’t be reached

forum.mysite.ca refused to connect.

Try:

• Checking the connection
• [Checking the proxy and the firewall]

ERR_CONNECTION_REFUSED"

this is what my app.yml looks like

hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discourse/discourse-zoom.git
  after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-d www.mysite.ca/
        to: "-d www.mysite.ca -d mysite.ca "
## Any custom commands to run after building

How much memory does your server have, and do you have swap enabled (free -h to see)?

               total        used        free      shared  buff/cache   available
Mem:             957         190         371           3         395         613
Swap:           2047          79        1968

So your server has 1 GB RAM and 2 GB allocated for the swap. Oddly, the rebuild process would fail with this swap capacity.

You can try to rebuild again. If it fails, you might need to upgrade the server memory, if possible (only for the build process, you can downgrade once done).