Setting up Let’s Encrypt with Multiple Domains

Safari 7 and 8 are not supported anymore, so by default we do not use weak SSL ciphers required by those old browsers. I’m quite sure Discourse would be completely broken on those Safari versions and it would weaken the security for every other users. You might also take a look at SSL/TLS errors on very old browsers connecting to Discourse and the following posts for more information.

4 Likes

Hi, I’m trying to make HTTPS work everywhere:

However,

Firefox does not trust this site because it uses a certificate that is not valid for eqlzr.org. The certificate is only valid for the.eqlzr.org.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

This is is how app.yml looks like:

hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/paviliondev/discourse-topic-previews.git
  after_web_config:
    - replace:
        filename: /etc/nginx/nginx.conf
        from: /sendfile.+on;/
        to: |
          server_names_hash_bucket_size 64;
          sendfile on;
    - file:
        path: /etc/nginx/conf.d/discourse_redirect_1.conf
        contents: |
          server {
            listen 80;
            server_name eqlzr.org;
            return 301 $scheme://the.eqlzr.org$request_uri;
          }
    - file:
        path: /etc/nginx/conf.d/discourse_redirect_2.conf
        contents: |
          server {
            listen 80;
            server_name www.eqlzr.org;
            return 301 $scheme://the.eqlzr.org$request_uri;
          }
  after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /--keylength/
        to: "-d eqlzr.org -d www.eqlzr.org -d the.eqlzr.org -d --keylength"
    - replace:
        filename: "/etc/nginx/conf.d/discourse.conf"
        from: /return 301 https.+/
        to: |
          return 301 https://$host$request_uri;
    - replace:
        filename: "/etc/nginx/conf.d/discourse.conf"
        from: /gzip on;[^\}]+\}/m
        to: |
          gzip on;
          add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain

The firefox error is telling you the correct problem. For whatever reason the certificate has not been issued to include the additional domains. Have you rebuilt the container?

image

Try following the Debugging section over here Setting up HTTPS support with Let's Encrypt and make sure you can see your other domains getting issued.

3 Likes

Due to the major upgrade in Discourse and some plugin catching up, I didn’t want to rebuild lightly my installation. Today I sat and after some trials and errors…

Grrrrr there was an extra “-d” that I accidentally left when copying the code in the first post.

This solved the HTTPS problem, but there was still one problem. eqlzr.org and www.eqlzr.org wouldn’t redirect to the.eqlzr.org. I solved the problem by commenting the Step 2 above, which seems to conflict with the after_web_config rules from Redirect single/multiple domain(s) to your Discourse instance.

It works now. Thank you @brahn for this very useful piece of code!

3 Likes