Setting up HTTPS support with Let's Encrypt

Yes, all on the same domain. There aren’t any external links, only images that were uploaded, and later edited out. Social media is not set up.

I played around with this test thread quite a bit. There were two image uploads, which I later removed from the post. I also turned a post into a wiki, and then switched the wiki off again. Just wondering whether something got messed up with all the editing. The thread is only for learning how to edit posts. It can be deleted.

Any ideas how to trace the error?

@tgxworld, Is it sufficient to force https from Discourse web admin, or do I still need to do that from the command line, as shown in the original post above?
> admin → site settings → force https

Doing it from the web interface is the same thing.

2 Likes

Will ./launcher rebuild app automatically set up let’s encrypt if I include a let’s encrypt e-mail in the app.yml file the same as if I included the let’s encrypt e-mail during discourse-setup? Or, do I run discourse-setup again even though I have a fully functioning discourse running. Will discourse-setup update my existing discourse to use let’s encrypt? I was hoping ./launcher rebuild app would do the job. Is it even possible to use the fully automated approach once discourse is already set up?

I don’t think so… not sure entirely though, as I’d have to look at ./discourse-setup, but I think there are additional tweaks to the app.yml that are necessary.

You should be able to just run ./discourse-setup again, fill it out appropriately (including LetsEncrypt email) and it should update your existing install to use LetsEncrypt

Great, thanks. That’s what I was hoping; that just running discourse-setup again would work but the documentation says just running that again would ignore any changes to the app.yml file. But maybe discourse-setup will ask me about let’s encrypt so that’s why it might work. I’ll try it out, thanks.

Yes. In addition to setting the Let’s Encrypt email address, it also uncomments the two templates needed by let’s encrypt. If you found the email address place in app.yml, then look up near the top and it should be “obvious”.

If you added the email address by hand I don’t promise that discourse-setup will figure out that it needs to uncomment those lines. You’re on your own.

Hmm. Where does it say that?

I thought that’s what this paragraph here was saying:

This will generate an app.yml configuration file on your behalf, and then kicks off bootstrap. Bootstrapping takes between 2-8 minutes to set up your Discourse. If you need to change these settings after bootstrapping, you can run ./discourse-setup again (it will read your old values from the file) or edit /containers/app.yml with nano and then ./launcher rebuild app , otherwise your changes will not take effect.

On a different note. What let’s encrypt e-mail is it? Since there doesn’t seem to be a sign up on the website, that e-mail can be whatever e-mail I want it to be to get notifications?

Any email address that will get to you will work. It’s just to notify you if it fails to get renewed.

So the bit about reading the old values made you think you couldn’t change them?

I watched a short youtube video and it all made sense after that. It really isn’t all that clear in the documentation that all I had to do was uncomment those two lines and put in any email address and rebuild: done. You should just have. 1. uncomment two lines in app.yml (it’ll be obvious). 2. Add any e-mail where you can be reached 3. run ./launcher rebuild app

1 Like

Just wanted to give a huge thank you to the OP and the team at Discourse for making this so easy. Just implemented rather last minute in advance of the Chrome update tomorrow and it was remarkably painless.

11 Likes

If you enabled https with let’s encrypt via ./discourse-setup before, you can just ./launcher rebuild app and that should get a new cert. It is always safe to run ./discourse-setup again.

You can also

./launcher stop app
./discourse-doctor

and it’ll rebuild and save the output to a log file, which might help find the problem.

You do need to see that your domain name resolves directly to your server and that ports 80 and 443 are open. ./discourse-doctor tries to help debug that too.

1 Like

I’m using Discourse on a one-click droplet by DigitalOcean. Is there any way to have certificates automatically renewed instead of having to do it manually every three months?

I’m not very savvy. Thanks!

They renew automatically.

What happens after discourse-setup takes your information and starts the rebuild? Does your domain name point to your server? Do you have something else in the way (e.g., cloudflare)?

2 Likes

6 posts were split to a new topic: Mixed HTTP/HTTPS Content?

My certificate expired today and I didn’t get any email about it.

How can I verify that the cronjob works? crontab -l only gives me two backup cron jobs that I added.

Did you run crontab -l after running .launcher enter app?

1 Like

Just FYI I have an instance to troubleshoot today which hadn’t auto renewed certs. It had an early beta of 2.3, the cert just aged out. Very vanilla multisite install with nothing in front of it.

Ah, ok, now I’m getting this, which seems to be correct.
32 0 * * * "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" > /dev/null
Manually executing the command works fine as well. So, it’s still a mystery why the renewal didn’t work automatically.

Likely because there isn’t a --reloadcmd "service nginx force-reload" specified, so nginx doesn’t see the new/renewed certificates. I’m not sure if that’s been fixed already.

2 Likes