Setting up HTTPS support with Let's Encrypt

(Dean Peterson) #355

I thought that’s what this paragraph here was saying:

This will generate an app.yml configuration file on your behalf, and then kicks off bootstrap. Bootstrapping takes between 2-8 minutes to set up your Discourse. If you need to change these settings after bootstrapping, you can run ./discourse-setup again (it will read your old values from the file) or edit /containers/app.yml with nano and then ./launcher rebuild app , otherwise your changes will not take effect.

On a different note. What let’s encrypt e-mail is it? Since there doesn’t seem to be a sign up on the website, that e-mail can be whatever e-mail I want it to be to get notifications?

(Jay Pfaffman) #356

Any email address that will get to you will work. It’s just to notify you if it fails to get renewed.

So the bit about reading the old values made you think you couldn’t change them?

(Dean Peterson) #357

I watched a short youtube video and it all made sense after that. It really isn’t all that clear in the documentation that all I had to do was uncomment those two lines and put in any email address and rebuild: done. You should just have. 1. uncomment two lines in app.yml (it’ll be obvious). 2. Add any e-mail where you can be reached 3. run ./launcher rebuild app

(Jon Lumb) #358

Just wanted to give a huge thank you to the OP and the team at Discourse for making this so easy. Just implemented rather last minute in advance of the Chrome update tomorrow and it was remarkably painless.


My word! I have the same praise for you guys/gals! Making this as easy as adding your email at the end of the setup script menu… SO EASY! thank you.

(Realtor) #362


Does this file still exist ? /etc/nginx/letsencrypt.conf

I am getting an error saying no such file.


(Jay Pfaffman) #363

Just run ./discourse-setup and it’ll take care of everything.

(Realtor) #364

I have already done ./discourse-setup. I am facing this problem only in renewing the ssl. I think I can’t run ./discourse-setup

(Stephen) #365

Renewal is automatic providing you’re using the standard ports, no external proxy and haven’t blocked port 80.

If you’ve put anything in front of Discourse which interferes with network communication you need to fix that first.

(Realtor) #366

well somehow the automatic renewal didn’t go through. I can ensure the ports and all once the current renewal goes through. In the meantime, I am looking for a way to reissue manually. Guide recommends to use a standby config like /etc/nginx/letsencrypt.conf but I could not find one.

(Stephen) #367

Unless you manually enrolled let’s encrypt the first time (it’s automated for all recent installs) there’s no need to do this. You should fix your ports as all enrollment methods require port 80 be available.

(Jay Pfaffman) #368

If you enabled https with let’s encrypt via ./discourse-setup before, you can just ./launcher rebuild app and that should get a new cert. It is always safe to run ./discourse-setup again.

You can also

./launcher stop app

and it’ll rebuild and save the output to a log file, which might help find the problem.

You do need to see that your domain name resolves directly to your server and that ports 80 and 443 are open. ./discourse-doctor tries to help debug that too.


I’ve set the certificate and it worked for several hours, after I received this error:

Your connection is not private

Any ideas?

(Jay Pfaffman) #370

How did you “set the certificate?”


I wrote this in templates:

  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

After that, I wrote the email…



./launcher rebuild app

It worked for a few hours without any problems, until now.



root@ubuntu: /var/discourse# ./launcher logs app
run-parts: executing /etc/runit/1.d/00-ensure-links
run-parts: executing /etc/runit/1.d/00-fix-var-logs
run-parts: executing /etc/runit/1.d/anacron
run-parts: executing /etc/runit/1.d/cleanup-pids
Cleaning stale PID files
run-parts: executing /etc/runit/1.d/copy-env
run-parts: executing /etc/runit/1.d/enable-brotli
run-parts: executing /etc/runit/1.d/letsencrypt
[Tue Dec  4 23:27:32 UTC 2018] Domains not changed.
[Tue Dec  4 23:27:32 UTC 2018] Skip, Next renewal time is: Sat Feb  2 18:36:23 U                                                              TC 2019
[Tue Dec  4 23:27:32 UTC 2018] Add '--force' to force to renew.
[Tue Dec  4 23:27:32 UTC 2018] Installing key to:/shared/ssl/                                                         
[Tue Dec  4 23:27:32 UTC 2018] Installing full chain to:/shared/ssl/                                       
[Tue Dec  4 23:27:32 UTC 2018] Run reload cmd: sv reload nginx
warning: nginx: unable to open supervise/ok: file does not exist
[Tue Dec  4 23:27:32 UTC 2018] Reload error for :
Started runsvdir, PID is 282
ok: run: redis: (pid 294) 0s
ok: run: postgres: (pid 290) 0s
rsyslogd: command 'KLogPermitNonKernelFacility' is currently not permitted - did                                                               you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http:/                                                              / ]
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
rsyslogd: activation of module imklog failed [v8.16.0 try                                                              /e/2145 ]
rsyslogd: Could not open output pipe '/dev/xconsole':: No such file or directory                                                               [v8.16.0 try ]
supervisor pid: 291 unicorn pid: 319

(Adam) #373

I just got the email that my cert hasn’t been autorenewing. I checked the logs and found this error: error:CAA record for prevents issuance
Where is my forum, of course.
Any idea what that means?

(Stephen) #374

Check your DNS, it suggests you have a CAA record configured which limits the CAs that can issue a certificate.

If this is for aoda then the following exists: rdata_257 = 0 issue ""

Presumably because another subdomain of has a comodoca certificate. That DNS entry can’t be there if you’re using Let’s Encrypt. CAA entries exist to ensure nobody other than a specified CA can issue a certificate for your domain.


Where did you edit that line? In /var/discourse/templates/web.letsencrypt.ssl.template.yml?


It actually says this in the lines that you quoted :slightly_smiling_face: …“the first line (after #!/bin/bash)”.

However, that comment is from more than 2½ years ago and I don’t use Discourse any more, so I couldn’t tell you whether that edit is still applicable.

Good luck!