Set up Let’s Encrypt with multiple domains / redirects

Hi @pfaffman, the edit to the original post has an erroneous + in the to: line, breaking the regex. It should be removed.

Separately, the following paragraph needs to be edited as it no longer makes sense:

There are two patterns that need to be replaced, one ending in --keylength , and another ending in --fullchainpath (in the actual file, your original domain is before each of these switches). Enter your (sub)domain (and any additional subdomains preceded by -d ) and then add the following to your app.yml hooks section (towards the end of the file):

I suggest:

Use domain1 and domain2 in this post to generate the code that you will need. domain1 is your original domain and domain2 is the additional domain that you want to add. Add the resulting after_ssl: block to the hooks: section of your app.yml and do a launcher rebuild app.

Oops. I removed the + and tweaked the text. I’ll look again later when I’m at a computer

Hey @textkit, this is a wiki, so you can make further edits if you like.

Since the last update to 3.5.0.beta8-dev

/etc/runit/1.d/letsencrypt

is missing in the docker container. So it will not build. Workaround: https://www.forcewww.com/

So this stopped working:

## Add Let's Encrypt cert for non-www and www domain name
  after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--keylength/
        to: "-d example.de -d www.example.de --keylength"

Before removing such tools/binaries from the Docker container, it would be nice to receive a notification…

Is this a change to how Discourse handles LetsEncrypt or a change to LetsEncrypt itself?

I have a server which is currently being upset by this issue. For now my workaround is to comment out that part of the app.yml but I feel that we need some way to add these additional certs to the setup in the future.

Discourse has moved that to another file. It’s currently being worked on. I’ll try to take a look in the next few days to see what’s required to make it possible to support multiple subdomains

I edited the OP with a new template, but haven’t tested it yet.

Nope, this doesn’t work:

FAILED

Errno::ENOENT: No such file or directory @ rb_sysopen - /usr/local/bin/letsencrypt
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/replace_command.rb:11:in `read’
replace failed with the params {“filename”=>“/usr/local/bin/letsencrypt”, “from”=>“/-d spokes.nz/”, “to”=>“-d spokes.nz -d www.spokes.nz”}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.

Must be too soon.

Maybe try putting the replace in the stanza at the bottom where the ssh stuff used to be if that makes sense (I’m on my phone, I’ll try to look tomorrow)

Hi @nathank

Guessing here but I wonder if the error you are getting might relate to a missing space before the final slash and the final quote in the respective lines of the suggested stanza in your app.yml file?

I am inferring from the error message that your respective lines are (verbatim)

from: /-d spokes.nz/
to: “-d spokes.nz -d www.spokes.nz”

I say this, because in my case the lines are

from: /-d nzarchitecture.net.nz /
to: "-d nzarchitecture.net.nz -d www.nzarchitecture.net.nz "

And with spaces just before the end of each line as shown, I can now rebuild Discourse without throwing that error. (if you look closely you will see @pfaffman‘s updated stanza posted at start of this thread did show those extra spaces).

I have no files at all in the usr/local/bin/ directory (as noted in your error message) either, which made me suspect that lack of that letsencrypt file is not what triggers the error.

That said, for me while Discourse works ok on its url nzarchitecture.net.nz, unfortunately I still get a certificate error if typing www.nzarchitecture.net.nz into a browser - whether this is due to lack of that file, I do not know

Just noting I’m currently attempting on rolling this into env vars to handle directly in discourse_docker, something like a comma separated list of hostname aliases. Seems like a common enough use case to handle directly.

It’s going to make it easier to configure for this case, so no one will need to make modifications to their app.ymls

My current plan is with DISCOURSE_HOSTNAME: www.domain.com

Allow for env like:
DISCOURSE_HOSTNAME_ALIASES: domain.com,other.domain.com would pull the cert, valid for all hostnames.

(While I’m there, let’s encrypt auto renewals also don’t seem to be working properly so I’m fixing those up too)

That’s awesome! Thanks very much. That’ll definitely make things easier!

I missed that! Did as you suggest, but still bootstrap failure:

FAILED

Errno::ENOENT: No such file or directory @ rb_sysopen - /usr/local/bin/letsencrypt
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/replace_command.rb:11:in `read’
replace failed with the params {“filename”=>“/usr/local/bin/letsencrypt”, “from”=>“/-d spokes.nz /”, “to”=>"-d spokes.nz -d www.spokes.nz "}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.

Wonderful!!!

Probably not the central issue here, but in my thrashing about, I also updated the Docker version running on Digital Ocean from 20.0.4 (I think) to 28.3.3 - possibly that helped, at least with this error. If nothing else it did get rid of the docker ‘depreciated’ warnings I was getting at the beginning of the rebuild process.

You need to remove the bit that tries to modify the lets encrypt file and wait for the pr to get accepted.

I figured that! Fortunately, I’m on a two container install so that is no big deal.

Any joy with this thusfar?

yep, I’ve got a PR open here pending review: