Setting up Let's Encrypt in discourse-setup is too fragile

(Agustín Cordes) #1

Yesterday I almost lose my mind trying to figure out why Discourse wouldn’t load after a 100% fresh install on Digital Ocean. No error messages, followed every step by the book, even when I had successfully deployed a test install last year, but no browser could access the page. I was baffled!

The culprit was this seemingly innocent setting LETSENCRYPT_ACCOUNT_EMAIL in discourse-setup. I figured "oh sure, I’ll just put the email and configure Let’s Encrypt later". Of course my assumption was incorrect, although the guide doesn’t mention anything about this. Turns out I couldn’t access Discourse with the IP because SSL is immediately enforced.

So, is it OK if I do a pull request for with a big disclaimer for that configuration step? Surely someone else out there must be having the same issue.

(Jeff Atwood) #2

Unlikely – most people entering a value there should know what they are doing. Does it not work?

(Agustín Cordes) #4

I think the parameter is a bit cryptic in its current meaning, especially as a prominent setup step. It didn’t occur to me that simply entering the account email would trigger the whole Let’s Encrypt configuration and enforce SSL right away. Instead of just asking for the email account, perhaps you should state something like “put a Let’s Encrypt email to enable SSL now”.

(Jeff Atwood) #5

I think we’d need a few more reports of this confusion before acting on it.

(Ali) #6

made the same assumption as @AgustinCordes

(Agustín Cordes) #7

YESSS! I’m not dumb :raised_hands:

(Erik Mueller-Harder) #11

I was about to make the same assumption, which would’ve set me back an hour or two, I suspect.

Fortunately, I searched the forum and found this thread.

(Alex Peck) #12

I’m a Johnny-come-lately to this discussion, but I also wasn’t sure what to do with the Let’s Encrypt email in the setup steps, so I searched and found this post. But, even after reading it, I thought I could enter an email address at the Let’s Encrypt step and continue with the install. I thought it would add SSL to the site automatically.

It wasn’t clear to me that I needed to do steps to prep the Let’s Encrypt SSL before entering my email address in the setup step. I still don’t have it working, and my guess is I needed to do these steps before running ./discourse-setup

I’m totally in favor of updating the install guide to be more explicit.

(Jeff Atwood) #13

Nope, that’s not needed, discourse-setup will uncomment the appropriate lines for you, or should, cc @pfaffman

(Alex Peck) #14

Hm… Not sure I understand. (Thanks for the quick reply!)

I did enter my email address in the Let's Encrypt account email field, the same email address I entered in the DISCOURSE_DEVELOPER_EMAILS field.

I only did the steps listed in the install guide.

It sounds like you’re saying my error isn’t Let’s Encrypt related. Is that right?

(Jeff Atwood) #15

I have no idea, what is your actual error?

(Alex Peck) #16

This site can’t be reached refused to connect.

It sounded to me like the same issue as listed in this thread.

(Jeff Atwood) #17

I definitely suggest rebuilding without HTTPS to start, as it is a simpler configuration. Note that IP addresses CANNOT work with Let’s Encrypt. You need a real domain name. Do you not have a real domain name set up?

Can we run Discourse website only IP address not domain?
(Alex Peck) #18

Good to know about IP addresses.

I’ll try again without HTTPS.

I do have a subdomain setup, but I thought maybe the DNS just hadn’t resolved yet. Same error when I use the domain name. refused to connect.

(Jeff Atwood) #19

If your domain name isn’t set up and resolving properly, Let’s Encrypt will fail super hard.

Perhaps this is something we should mention as a :warning: WARNING in the discourse-setup @pfaffman?

(Eli the Bearded) #20
; IN  A


Which is a no-no as explained here:

(Alex Peck) #21

facepalm Right… so clearly my mistake. I’ll change that to an A record.

(Jeff Atwood) #22

I support adding a super heavy warning here when people enter an email address there in discourse-setup.

Are you sure you want to enable HTTPS now? If your DNS records for {domain} aren’t set up correctly and resolving properly as of right now, this won’t work!


A fancier script could check the DNS in real time, I guess, but that seems overkill-y

(Jay Pfaffman) #23

Sigh. I considered such checks when I wrote this iteration. If ./discourse-setup were going to be really nice, it would check that the name given resolved to the current IP of the droplet (as it might check that SMTP settings worked). But that check would fail if they were using an elastic IP (or whatever Digital Ocean calls the “permanent” IP that you can route to different hosts.

I don’t know if the code that I might include to test this would have caught this CNAME to an IP, though. And it’s fixed now, and I don’t have easy access to a name server that will do that.

We were writing at the same time. :slight_smile:

If you like, I’ll try to give this a poke later this week, after I get the tax info off to the accountant.

I think it should be easy enough to check if the domain resolves to the current IP and print a BIG UGLY warning if it fails.

(Eli the Bearded) #24

Does dig +short CNAME return anything? If yes, it’s a CNAME. If no, it’s not. I suspect dig is installed normally.