Set up Let’s Encrypt with multiple domains / redirects

Community wiki Sysadmins
,
156

Hi @pfaffman, the edit to the original post has an erroneous + in the to: line, breaking the regex. It should be removed.

Separately, the following paragraph needs to be edited as it no longer makes sense:

There are two patterns that need to be replaced, one ending in --keylength , and another ending in --fullchainpath (in the actual file, your original domain is before each of these switches). Enter your (sub)domain (and any additional subdomains preceded by -d ) and then add the following to your app.yml hooks section (towards the end of the file):

I suggest:

Use domain1 and domain2 in this post to generate the code that you will need. domain1 is your original domain and domain2 is the additional domain that you want to add. Add the resulting after_ssl: block to the hooks: section of your app.yml and do a launcher rebuild app.

1 Like
157

Oops. I removed the + and tweaked the text. I’ll look again later when I’m at a computer

Hey @textkit, this is a wiki, so you can make further edits if you like.

158

Since the last update to 3.5.0.beta8-dev

/etc/runit/1.d/letsencrypt

is missing in the docker container. So it will not build. Workaround: https://www.forcewww.com/

So this stopped working:

## Add Let's Encrypt cert for non-www and www domain name
  after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--keylength/
        to: "-d example.de -d www.example.de --keylength"

Before removing such tools/binaries from the Docker container, it would be nice to receive a notification…

4 Likes
159

Is this a change to how Discourse handles LetsEncrypt or a change to LetsEncrypt itself?

I have a server which is currently being upset by this issue. For now my workaround is to comment out that part of the app.yml but I feel that we need some way to add these additional certs to the setup in the future.

2 Likes
160

Discourse has moved that to another file. It’s currently being worked on. I’ll try to take a look in the next few days to see what’s required to make it possible to support multiple subdomains

2 Likes
161

I edited the OP with a new template, but haven’t tested it yet.

1 Like
162

Nope, this doesn’t work:

FAILED

Errno::ENOENT: No such file or directory @ rb_sysopen - /usr/local/bin/letsencrypt
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/replace_command.rb:11:in `read’
replace failed with the params {“filename”=>“/usr/local/bin/letsencrypt”, “from”=>“/-d spokes.nz/”, “to”=>“-d spokes.nz -d www.spokes.nz”}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.

2 Likes
163

Must be too soon.

Maybe try putting the replace in the stanza at the bottom where the ssh stuff used to be if that makes sense (I’m on my phone, I’ll try to look tomorrow)

1 Like
164

Hi @nathank

Guessing here but I wonder if the error you are getting might relate to a missing space before the final slash and the final quote in the respective lines of the suggested stanza in your app.yml file?

I am inferring from the error message that your respective lines are (verbatim)

from: /-d spokes.nz/
to: “-d spokes.nz -d www.spokes.nz”

I say this, because in my case the lines are

from: /-d nzarchitecture.net.nz /
to: "-d nzarchitecture.net.nz -d www.nzarchitecture.net.nz "

And with spaces just before the end of each line as shown, I can now rebuild Discourse without throwing that error. (if you look closely you will see @pfaffman‘s updated stanza posted at start of this thread did show those extra spaces).

I have no files at all in the usr/local/bin/ directory (as noted in your error message) either, which made me suspect that lack of that letsencrypt file is not what triggers the error.

That said, for me while Discourse works ok on its url nzarchitecture.net.nz, unfortunately I still get a certificate error if typing www.nzarchitecture.net.nz into a browser - whether this is due to lack of that file, I do not know

2 Likes
165

Just noting I’m currently attempting on rolling this into env vars to handle directly in discourse_docker, something like a comma separated list of hostname aliases. Seems like a common enough use case to handle directly.

It’s going to make it easier to configure for this case, so no one will need to make modifications to their app.ymls

My current plan is with DISCOURSE_HOSTNAME: www.domain.com

Allow for env like:
DISCOURSE_HOSTNAME_ALIASES: domain.com,other.domain.com would pull the cert, valid for all hostnames.

(While I’m there, let’s encrypt auto renewals also don’t seem to be working properly so I’m fixing those up too)

8 Likes
166

That’s awesome! Thanks very much. That’ll definitely make things easier!

3 Likes
167

I missed that! Did as you suggest, but still bootstrap failure:

FAILED

Errno::ENOENT: No such file or directory @ rb_sysopen - /usr/local/bin/letsencrypt
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/replace_command.rb:11:in `read’
replace failed with the params {“filename”=>“/usr/local/bin/letsencrypt”, “from”=>“/-d spokes.nz /”, “to”=>"-d spokes.nz -d www.spokes.nz "}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.

Wonderful!!!

3 Likes
168

Probably not the central issue here, but in my thrashing about, I also updated the Docker version running on Digital Ocean from 20.0.4 (I think) to 28.3.3 - possibly that helped, at least with this error. If nothing else it did get rid of the docker ‘depreciated’ warnings I was getting at the beginning of the rebuild process.

1 Like
169

You need to remove the bit that tries to modify the lets encrypt file and wait for the pr to get accepted.

2 Likes
170

I figured that! Fortunately, I’m on a two container install so that is no big deal.

Any joy with this thusfar?

1 Like
171

yep, I’ve got a PR open here pending review:

4 Likes
172

Hey everyone, just following up, multi domains are now merged - in the latest version of discourse_docker, you can now include the ssl and letsencrypt templates and setup env vars of the form DISCOURSE_HOSTNAME_ALIASES: domain.com,other.domain.com to set up alternate hostnames.

Your site will additionally pull the configured hostnames with the cert request with no additional config changes

4 Likes
173

Forgive my ignorance, but is this editable via a site setting anywhere, or does something need to be edited in app.yml?

If the former, I had no luck finding it after updating to the latest, and if the latter, what specifically should be tweaked in app.yml ?

174

It goes in the app.yml. It’s not handled by Discourse, but by NGINX in the container and it doesn’t have access to the Discourse database.

It goes in the ENV section

env:
   DISCOURSE_HOSTNAME_ALIASES: domain.com,other.domain.com

You’d include only additional domains that you would like for people to be able to link to and be redirected to your site’s actual host name.

3 Likes
175

Perfect - all working, thanks!

Would be even better if there was some clever way for discourse to write the aliases supplied by admin to app.yml itself when next updating, or to leave the info where an app.yml instruction can read it.

2 Likes