Setting up HTTPS support with Let's Encrypt


#96

When discourse is setup as a root domain (e.g. without “www”), the certificate is issued to the root domain only. Is there a way of configuring this so that both the root and the www versions work - e.g. so that we don’t get certificate errors on www.example.com when discourse is setup for example.com.

I believe Neil’s script allows for this using the -d option to specify multiple hosts for the certificate (so a SAN is used in the cert), so possible that we need to cater for this in the web.letsencrypt.ssl.template.yml somehow. Maybe by adding another variable into app.yml (e.g. DISCOURSE_ALT_HOSTNAME: ‘www.example.com’), and then pick this up in the script in web.letsencrypt.ssl.template.yml.

Meanwhile, can we manually run commands to do this without anything being overwritten on restart? Or is it okay to edit the conf file for the domain and set a value for Le_Alt ? If we alter the value for Le_Alt, how do we then force a reissue and install of the cert?

Thanks.


(Alan Tan) #97

Adding multiple domains has been done before. I’ll like to bake this into the template though, we should probably take in an additional env variable and add that into the issue command. Hopefully someone from the community can take this? :stuck_out_tongue:


New user invite links only give ERR_SSL_PROTOCOL_ERROR
#98

@tgxworld Thanks for the link. If I make these changes, I’m assuming that the script won’t update the cert until renewal because it will see a valid certificate already installed. How do I force it to update?

Thanks.


(Alan Tan) #99

Run the issue command manually with FORCE=1 :slight_smile:


#100

@tgxworld Thanks for the tip.

I didn’t implement the file changes in app.yml, partly because I wanted to keep the build as standard as much as possible.

However, using the info from that post and your tip on FORCE=1, I did the following (posted here just in case someone else wants to do the same):
./launcher enter app vi /etc/runit/1.d/install_ssl_cert sv stop nginx FORCE=1 /etc/runit/1.d/install_ssl_cert sv start nginx

In the edit of install_ssl_cert, I changed the first line (after #!/bin/bash) to:
LE_WORKING_DIR="/shared/letsencrypt" /shared/letsencrypt/le.sh issue no example.com www.example.com 4096

Checked the certificate after install and it is now complete with and without “www”.

Thanks for your help.


Setting up Let’s Encrypt with Multiple Domains
(ljpp) #155

Additional note to noobs running CloudFlare DNS:

You need to enable Full SSL in CloudFlare settings, or your site won’t work.

Installation wen’t smoothly and running this now on my small side project. Giving it some more time to mature, before enabling on my big site.

Once again, great job guys!


(Philip Colmer) #274

Is it possible to (easily) change when the script agrees to renew the script?

At the moment, it looks like the cert renewal is about 9 days before it expires. In the meantime, Let’s Encrypt has sent me two reminder emails saying that the cert is going to expire.

I’d prefer to have the cert renewed as soon as it possibly can so that I only get the LE reminder emails if, for some reason, the renewal process has failed and I therefore need to investigate further.

Thanks.


(Greg) #314

On my Discourse server, the auto-renew cron job seems to be broken. I’ve grabbed a shell:

./launcher enter app

and then tried to run a renewal myself:

"/shared/letsencrypt"/acme.sh --home "/shared/letsencrypt" --renew-all
[Fri Sep  8 10:50:23 UTC 2017] Renew: 'community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Single domain='community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Getting domain auth token for each domain
[Fri Sep  8 10:50:23 UTC 2017] Getting webroot for domain='community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Getting new-authz for domain='community.hestiapi.com'
[Fri Sep  8 10:50:24 UTC 2017] The new-authz request is ok.
[Fri Sep  8 10:50:25 UTC 2017] Verifying:community.hestiapi.com
[Fri Sep  8 10:50:30 UTC 2017] community.hestiapi.com:Verify error:Invalid response from http://community.hestiapi.com/.well-known/acme-challenge/90IFUOXXSZSmX3O_qjSS-ijnnyFJXMC6ZWYNm-UnuSE: 
[Fri Sep  8 10:50:30 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log

Looking in the log (which is pretty huge, but I can paste if needed) it appears to be writing the token, and then failing anyway.

My cert expires tonight (but it’s not a huge deal, we only have a few users), so any advice is appreciated!


(Greg) #315

Of course, as soon as I post, I find the issue. My site only passes 443 to Discourse as other things run on 80 - and of course the renewal has to happen on 80… as soon as I added a vhost on 80 to handle .well-known, all was fine. Thanks anyway!


(Mauro) #324

Do I need to add any 301 redirects to let Google know about the move from http to https? Or it happens automatically?


(Stephen Chung) #325

AFAIK it happens auto-magically. Discourse automatically takes care of the 301 redirects.

That’s why it is No-Brains-Required™. :grinning:


(Jay Pfaffman) #327

I just set up a site with Let’s Encrypt and Firefox is whining that it “does not supply ownership information”.

Screenshot from 2017-10-05 09-32-03

Screenshot from 2017-10-05 09-35-27

But, there’s nothing that can be done, as explained here: Adding Ownership Information? - Help - Let's Encrypt Community Support


(Pad Pors) #328

we were using this set up in order to have https. but then as we turned off cloudflare, we got Your connection is not secure error. and an expiration date for the ssl certificate.

questions

  1. is the output effect of this howto document the same as this one: Allowing SSL / HTTPS for your Discourse Docker setup? I mean both of them seem to allow for https.

  2. what is about the expiration date of a ssl? nothing about an expiration date is reported in this howto.


(Justin Mullis) #329

I followed this guide after setting up a new discourse “one-click” droplet on Digital Ocean. Just wanted to say thanks, it worked perfectly. Pretty awesome that uncommenting a few lines and restarting gives you SSL for free!


(Ryan Nix) #330

Thanks, Greg. Turns out I only had 443 open to the world as well. Once I opened up 80, voila, I was able to renew the Let’s Encrypt Cert.


(Tumi) #331

Hello, what about cloudflare ? It is better for ssl (and not only ) than lets encrypt ?


(Matt Palmer) #332

No, using Cloudflare for SSL, without also setting up SSL on your server, is terribad – it lulls users into a false sense of security, whilst funnelling your site’s unencrypted traffic through a small number of very attractive targets (Cloudflare data centres).


(Tumi) #333

Thanks for info. I was read about hackers vs cloudflare at february 2017. So i understand. Anyway. There is any pros for using the Cloduflare or not really. If i understand:
SSL - lets encrypt is ok , or any paid ssl
DNS - my own register (like ovh, godaddy) or premium (for 10 dolars) DNS ? This is worth it ?
Anythink else should i get or good to know?


#334

If we are using Cloudflare, can’t we use Let’s Encrypt? Is not there a way?


#335

Yes, read this post.