Setting up HTTPS support with Let's Encrypt

On my Discourse server, the auto-renew cron job seems to be broken. I’ve grabbed a shell:

./launcher enter app

and then tried to run a renewal myself:

"/shared/letsencrypt"/acme.sh --home "/shared/letsencrypt" --renew-all
[Fri Sep  8 10:50:23 UTC 2017] Renew: 'community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Single domain='community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Getting domain auth token for each domain
[Fri Sep  8 10:50:23 UTC 2017] Getting webroot for domain='community.hestiapi.com'
[Fri Sep  8 10:50:23 UTC 2017] Getting new-authz for domain='community.hestiapi.com'
[Fri Sep  8 10:50:24 UTC 2017] The new-authz request is ok.
[Fri Sep  8 10:50:25 UTC 2017] Verifying:community.hestiapi.com
[Fri Sep  8 10:50:30 UTC 2017] community.hestiapi.com:Verify error:Invalid response from http://community.hestiapi.com/.well-known/acme-challenge/90IFUOXXSZSmX3O_qjSS-ijnnyFJXMC6ZWYNm-UnuSE: 
[Fri Sep  8 10:50:30 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log

Looking in the log (which is pretty huge, but I can paste if needed) it appears to be writing the token, and then failing anyway.

My cert expires tonight (but it’s not a huge deal, we only have a few users), so any advice is appreciated!

Of course, as soon as I post, I find the issue. My site only passes 443 to Discourse as other things run on 80 - and of course the renewal has to happen on 80… as soon as I added a vhost on 80 to handle .well-known, all was fine. Thanks anyway!

4 Likes

Do I need to add any 301 redirects to let Google know about the move from http to https? Or it happens automatically?

AFAIK it happens auto-magically. Discourse automatically takes care of the 301 redirects.

That’s why it is No-Brains-Required™. :grinning:

4 Likes

I just set up a site with Let’s Encrypt and Firefox is whining that it “does not supply ownership information”.

Screenshot from 2017-10-05 09-32-03

Screenshot from 2017-10-05 09-35-27

But, there’s nothing that can be done, as explained here: Adding Ownership Information? - Help - Let's Encrypt Community Support

we were using this set up in order to have https. but then as we turned off cloudflare, we got Your connection is not secure error. and an expiration date for the ssl certificate.

questions

  1. is the output effect of this howto document the same as this one: Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup? I mean both of them seem to allow for https.

  2. what is about the expiration date of a ssl? nothing about an expiration date is reported in this howto.

I followed this guide after setting up a new discourse “one-click” droplet on Digital Ocean. Just wanted to say thanks, it worked perfectly. Pretty awesome that uncommenting a few lines and restarting gives you SSL for free!

11 Likes

Thanks, Greg. Turns out I only had 443 open to the world as well. Once I opened up 80, voila, I was able to renew the Let’s Encrypt Cert.

2 Likes

If we are using Cloudflare, can’t we use Let’s Encrypt? Is not there a way?

Yes, read this post.

2 Likes

I just enabled Let’s Encrypt and SSL appears to be working, but there is an error in the console I don’t understand, and don’t know whether it’s related to SSL. Link below.

Note, the error takes a minute or two before it appears in my console.

This is the error I get in chrome console:

9/t/morning-i-ll-check/19:1 Failed to load
https://forum.artsupia.org/message-bus/dc19be97c09544aaaf966d011ce76c86/poll?dlp=t:
Request header field X-CSRF-Token is not allowed by
Access-Control-Allow-Headers in preflight response.

Something’s triggering a CORS preflight, which shouldn’t be happening because it’s all on the same domain, right?

1 Like

Yes, all on the same domain. There aren’t any external links, only images that were uploaded, and later edited out. Social media is not set up.

I played around with this test thread quite a bit. There were two image uploads, which I later removed from the post. I also turned a post into a wiki, and then switched the wiki off again. Just wondering whether something got messed up with all the editing. The thread is only for learning how to edit posts. It can be deleted.

Any ideas how to trace the error?

@tgxworld, Is it sufficient to force https from Discourse web admin, or do I still need to do that from the command line, as shown in the original post above?
> admin → site settings → force https

Doing it from the web interface is the same thing.

2 Likes

Will ./launcher rebuild app automatically set up let’s encrypt if I include a let’s encrypt e-mail in the app.yml file the same as if I included the let’s encrypt e-mail during discourse-setup? Or, do I run discourse-setup again even though I have a fully functioning discourse running. Will discourse-setup update my existing discourse to use let’s encrypt? I was hoping ./launcher rebuild app would do the job. Is it even possible to use the fully automated approach once discourse is already set up?

I don’t think so… not sure entirely though, as I’d have to look at ./discourse-setup, but I think there are additional tweaks to the app.yml that are necessary.

You should be able to just run ./discourse-setup again, fill it out appropriately (including LetsEncrypt email) and it should update your existing install to use LetsEncrypt

Great, thanks. That’s what I was hoping; that just running discourse-setup again would work but the documentation says just running that again would ignore any changes to the app.yml file. But maybe discourse-setup will ask me about let’s encrypt so that’s why it might work. I’ll try it out, thanks.

Yes. In addition to setting the Let’s Encrypt email address, it also uncomments the two templates needed by let’s encrypt. If you found the email address place in app.yml, then look up near the top and it should be “obvious”.

If you added the email address by hand I don’t promise that discourse-setup will figure out that it needs to uncomment those lines. You’re on your own.

Hmm. Where does it say that?

I thought that’s what this paragraph here was saying:

This will generate an app.yml configuration file on your behalf, and then kicks off bootstrap. Bootstrapping takes between 2-8 minutes to set up your Discourse. If you need to change these settings after bootstrapping, you can run ./discourse-setup again (it will read your old values from the file) or edit /containers/app.yml with nano and then ./launcher rebuild app , otherwise your changes will not take effect.

On a different note. What let’s encrypt e-mail is it? Since there doesn’t seem to be a sign up on the website, that e-mail can be whatever e-mail I want it to be to get notifications?