Setting up Let’s Encrypt with Multiple Domains

Unfortunately disabling ssl did not work and I dont know why :frowning: (more info in post above)

Do you still have port 80 exposed?

Yes, 80 is exposed. Even if discourse should work only on 80 it keep redirecting me to https and I dont know why.

If your browser once found https it will want it forever. You might try another browser or perhaps clear your cache.

Ok, now for sure discourse in multisite without SSL works.

After rebuild and changes made to ssl (config above) secondsite get redirection to first site :frowning:
I clear all data in browser and problem still exist.

Here’s my tests discourse installation: d1.fajferek.pl - d2.fajferek.pl

Inside the container, have a look at /etc/nginx/conf.d/discourse.conf and see what the rewrite shows. Maybe the replace is not working correctly anymore?

Also, what if this failed before and you now have cached certs?

See this comment about using FORCE=1

1 Like

In the /etc/runit/1.d/letsencrypt I only found my 1st domain and also in discourse.conf there is no changes made in app.yml ;(

Is there any other solution to replace this by app.yml?

Perhaps there is a problem with your app.yml then? I believe it can be sensitive to formatting. Double check for space/tabs in the wrong place, indenting, etc.

Maybe the blank line between the after_ssl and the - replace: matters?

after_ssl:

    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-k 4096 -w \/var\/www\/discourse\/public/
        to: |
           -d www.domain1.com -d doman1.com -d www.domain2.com -d domain2.com -k 4096 -w /var/www/discourse/public

(from your earlier pastebin)

This is the most appropriate way I have found.

2 Likes

hi, I was follow your guide step by step but I can’t find nginx folder and discourse.conf file. My current installation works fine without www (and I want keep that url as main hostname), but if I visit my domain with “www” it doesn’t work and I get an error (you can see it here)

I installed discourse from docker in ubuntu 18 VPS (Digital Ocean). As I said, I want to use mydomain.net as main hostname but I also want ‘www’ working, redirecting to mydomain.net .

ps. I already added an A record “www” pointing to my server IP.

One question, we just moved domains from domain1 to domain2
Because domain1 was using SSL I’m having HSTS problems with the redirect so assumed this (the above) would help.

I followed the instructions and everything appears to be setup correctly. If I cat /etc/runit/1.d/letsencrypt in the container i see the additional domains etc.

But when I visit my domain1.com i’m still getting a bad SSL HSTS issue. Any ideas? Am I barking up the wrong tree?

I was trying to avoid having to host a separate apache or nginx instance for just 301 redirects.

Can I safely do it on an existing forum ? Do I have to do the same steps or not?

I’ve just done it on two (existing) sites and the updated app.yml additions seem to work fine!

@brahn thanks for documenting this, it was really useful!

The first post should really be converted to a wiki so these additions can be kept up-to-date.

3 Likes

Good idea! It is now a wiki!

3 Likes

Thanks Jeff, I’ve updated the first post with @brahn’s updates from Jul '17

3 Likes

Got a suspicion something’s changed here, this script no longer works fully. One of my subdomains isn’t working anymore. I’ll investigate when I have more time. But FYI and perhaps someone will know something …

3 Likes

Yeah, looks like the web.letsencrypt.ssl.template.yml has changed recently and the after_ssl replace hook will no longer work. Unless someone else fixes it first I will eventually get to it but I am swamped at the moment so it might take a few weeks.

4 Likes

Since this commit from @gerhard the subject alternate names are no longer added due to the implementation of ECC. This effectively breaks any multisite installations which use the above method. cc:@sam

4 Likes

:crying_cat_face: A site that I just attempted to upgrade is no longer getting certs at all.

EDIT: Just saw @gerhard’s edit. I’ll give it a shot in a minute and report back.

1 Like

Yeah, the edit in the OP is untested, but I think it should work. I’d like to make this less fragile… maybe I can add some kind of env variable for all the hostnames, so that the hacky replace isn’t needed anymore.

And sorry for the problems this new elliptic curve certificate caused. I didn’t know that this Howto topic existed, otherwise I would have been more careful. :blush:

5 Likes

Thanks, @gerhard! I can confirm that it works!

The site that I just upgraded works for both example.com and https://www.example.com (which redirects to apex domain).

2 Likes