Setting up HTTPS support with Let's Encrypt


Yes, read this post.

(Marcus) #336

I just enabled Let’s Encrypt and SSL appears to be working, but there is an error in the console I don’t understand, and don’t know whether it’s related to SSL. Link below.

Note, the error takes a minute or two before it appears in my console.

This is the error I get in chrome console:

9/t/morning-i-ll-check/19:1 Failed to load
Request header field X-CSRF-Token is not allowed by
Access-Control-Allow-Headers in preflight response.

(Kane York) #337

Something’s triggering a CORS preflight, which shouldn’t be happening because it’s all on the same domain, right?

(Marcus) #338

Yes, all on the same domain. There aren’t any external links, only images that were uploaded, and later edited out. Social media is not set up.

I played around with this test thread quite a bit. There were two image uploads, which I later removed from the post. I also turned a post into a wiki, and then switched the wiki off again. Just wondering whether something got messed up with all the editing. The thread is only for learning how to edit posts. It can be deleted.

Any ideas how to trace the error?

(Marcus) #339

@tgxworld, Is it sufficient to force https from Discourse web admin, or do I still need to do that from the command line, as shown in the original post above?
> admin → site settings → force https

(Jay Pfaffman) #340

Doing it from the web interface is the same thing.

(Pierre Grand) #341

hello dear community,
I did run the .discourse-setup on my http discourse instance(QA one). But now the forum is not available.
when I check the logs I find this message:

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

I understand the certificates generated by let’s encrypt is not good.
I try to remove them and rebuild the container but I get the same error.

Do you have an idea how to proceed to troubleshoot the certificate quality?

(Jay Pfaffman) #342

Does your domain name point to your web site and only your web site?

(Pierre Grand) #343

Hello Jay, not sure what is the right answer. The domain name we use to connect to Discourse website is the DNS name given by Amazon AWS to the virtual server.

(Michael Howell) #344

LetsEncrypt won’t work with the default AWS domain, because it’ll hit their rate limits. You’re going to need a domain name that isn’t shared with thousands of other people.

(Pierre Grand) #345

OK, thanks a lot for the feedback, I have ordered a domain name. Hopefully it’s not too difficult to make my current Discourse instance to use it…

(Pierre Grand) #346

I have now a domain. I relaunched the setup, I had also to fine tune the A Name and C Name and now it’s fine, thanks a lot for the help!

Do you confirm the renewal of the certificate every 90 days will be automatic ?

(Jay Pfaffman) #347

That’s right. It’ll renew automatically. You won’t even know.

(Felipe Moura) #348

Funcionou como uma beleza! Muito obrigado!!

(Pierre Grand) #349

I migrated successfully my forum this weekend, Now I see that the attachment in topics are broken. Just making an edit save solve the issue but I cannot edit all the topics.
Is there a more “industrial” way to update all the links ?

(Jay Pfaffman) #350

Search for rake posts:rebake. If you have a huge forum, it’s worth trying to rebake only selected posts. If you have only a few tens of thousands of posts, you might not bother.

(Dean Peterson) #351

Will ./launcher rebuild app automatically set up let’s encrypt if I include a let’s encrypt e-mail in the app.yml file the same as if I included the let’s encrypt e-mail during discourse-setup? Or, do I run discourse-setup again even though I have a fully functioning discourse running. Will discourse-setup update my existing discourse to use let’s encrypt? I was hoping ./launcher rebuild app would do the job. Is it even possible to use the fully automated approach once discourse is already set up?

(cpradio) #352

I don’t think so… not sure entirely though, as I’d have to look at ./discourse-setup, but I think there are additional tweaks to the app.yml that are necessary.

You should be able to just run ./discourse-setup again, fill it out appropriately (including LetsEncrypt email) and it should update your existing install to use LetsEncrypt

(Dean Peterson) #353

Great, thanks. That’s what I was hoping; that just running discourse-setup again would work but the documentation says just running that again would ignore any changes to the app.yml file. But maybe discourse-setup will ask me about let’s encrypt so that’s why it might work. I’ll try it out, thanks.

(Jay Pfaffman) #354

Yes. In addition to setting the Let’s Encrypt email address, it also uncomments the two templates needed by let’s encrypt. If you found the email address place in app.yml, then look up near the top and it should be “obvious”.

If you added the email address by hand I don’t promise that discourse-setup will figure out that it needs to uncomment those lines. You’re on your own.

Hmm. Where does it say that?