Set up Let’s Encrypt with multiple domains / redirects

Does the dns for both sites point to the server?

If you’re sure that both domain names resolve to the discourse server.

1 Like

it works now, it took 2 rebuilds.

1 Like

when I visit mysite.ca on Google Chrome Incognito it still shows this message

our connection is not private

Attackers might be trying to steal your information from mysite.ca (for example, passwords, messages, or credit cards). [Learn more]

NET::ERR_CERT_COMMON_NAME_INVALID

Back to safety Hide advanced

This server could not prove that it is mysite.ca; its security certificate is from forum.mysite.ca. This may be caused by a misconfiguration or an attacker intercepting your connection.

[Proceed to mysite.ca (unsafe)]

How do I get a security cert for mysite.ca ? is this something to do with my digital ocean A or cname records?

1 Like

What are the actual urls?

If you want to redirect domain.com to forum.domain.com ; I believe you only need to make the redirection at the DNS level. :thinking:

EDIT: it looks like you solved your issue.

1 Like

Not if you want https to work too. You need certs for both domains or you’ll get a bad certificate error.

Looks like it’s working.

You can Google something like “check https certificate” for some testing sites to see the the certificate is valid.

1 Like

When I visit my domain on chrome/brave browser that doesnt save cookies, I still get a warning.

Your connection is not private

Attackers might be trying to steal your information from mysite.ca (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

When I press proceed, it brings me to my discourse instance. I followed the original post instructions.
I dont know how to upload files to create a landing page for my domain and I dont know how to get the certificate for my domain, I only have ssl for subdomain/discourse instance.

I believed I solved it.

1 Like

You can run CertBot again and include both the forum & the apex domain names: -d mysite.ca -d forum.mysite.ca. A new cert will be issued with both names.

You should always use the staging environment when testing and to make sure everything is okay. Then go ahead with running it in production. It reduces the load on LE’s servers.

But that command is configured in the app.yml and run when the site rebuilds. It is possible to make some changes to /etc/runit/1.d/letsencrypt and run it again, but that’s not something that most people are comfortable doing. And those changes get wiped when the image is rebuilt.

That’s complicated, as it requires DNS to point to the staging environment, so unless you’re going to do a test with a different set of hostnames in staging, and use that app.yml and DNS settings as a model to set them up for production, there’s not much use for a staging environment to solve this let’s encrypt setup.

1 Like

There is two obvious answers:

  • using reverse proxy as Nginx or Apache2, but I have a feeling that isn’t the easiest task to OP ( even it is quite easy, though)
  • don’t use an apex domain

This topic is about how to do this without a reverse proxy.

Was it, it was :flushed: Am I mixing two different topics or am I just lost?

Anyway… generally spoken all questions aren’t right because one has an issue that he/she/it can’t solve by own and then asked solution is not always the right one, because… person who asks doesn’t know :smirk:

Yeah, you are right — too meta.

1 Like

I havn’t ran cert bot but I did rebuild my app a bunch of times and im not to sure if I read that it has a limit.
do I run certbot in var/discourse?
I got my redirect to work for unityforhesquiaht.ca but im not getting it for nuuchahnulth.ca. I’m also testing this on google chrome Incognito and other browsers in private modes. I wonder if I have the indentation wrong in my app.yml file or if I just rebuild app to many times. I did check indentation and it seems fine but I will have to check again.

1 Like

If you did that and the DNS wasn’t set for all domains then you hit a rate limit and will need to wait a week or use a different set of domains.

Or both!

If you want the same server to get certs for that, DNS is your problem.

 pfaffman@noreno:~$ dig +short unityforhesquiaht.ca
164.92.110.32
 pfaffman@noreno:~$ dig +short nuuchahnulth.ca
24.199.125.235
2 Likes

so I have them set up in different droplets, I think its this

I can wait a week, I dont have that many users yet and i cant afford to buy more domains rn. I have more time than money haha

1 Like

That’s the most likely problem. 5x and you hit the limit. That’s why I was suggesting using staging - unlimited tries to get everything set. If he had used certbot, it would have thrown an error message in the log with something like too many tries... and informing him of the rate limit and waiting time, using a different domain, etc… I’m not sure if that or a similar error would show in the logs if one didn’t use certbot.

1 Like

Oh. Maybe you mean let’s encrypt staging and not a staging site. I have no idea how to do that Wyeth the let’s encrypt template.

2 Likes

Yes, I meant the LE staging environment. Here’s a couple of links about LE Staging and Pebble (small acme server built for staging/development). The first link shows the limits for different scenarios.

1 Like

Those don’t help someone know how our whether it’s possible to get the discourse let’s encrypt template to use staging mode.

1 Like

looks like you got it all working.
I’ve been wanting to put my discourse instance on my domains instead of my subdomains. what issues does that come with? I’m wondering if I can change the ones I have built already and do so in the future builds.
did you do standard install? and do you have any tips for or advice? thank you
I seem to run into issues redirecting my unityforhesquiaht.ca domain to my forum.unityforhesquiaht.ca and I waited a week to rebuild app, after rebuilding its still having this issue.

1 Like