Site down after enabling SSL


#1

I bought a PositiveSSL from Namecheap today and followed the instructions at:

Which included placing ssl.key and ssl.crt at /var/discourse/shared/standalone/ssl/ and adding the additional templates to app.yml. I have set up the A record to point to the IP Address of the droplet/instance.

The site was running perfectly before on both Google Compute and then on Digital Ocean (for testing) but once I enabled SSL, it went down. If I type in www.hostname.com or the IP address, it resolves to https://hostname.com and gives a “Unable to connect” or “Server not found” error.

There are no errors in the logs. If someone can help, it would be massively appreciated. I have been going at this for 10 hours straight without any luck :anguished:


(Felix Freiberger) #2

Can you post your app.yml here, without the credentials for SMTP?


(cpradio) #3

And do you have a non-www A record defined too?


#4

@cpradio I have 2 TXT records (one SPF and one DKIM for sending mail through Sparkpost) and 1 URL redirect record. However, everything was resolving nicely before the SSL change.


(Felix Freiberger) #5

Can you tell us which hostname your installation should be running at?


#6

@fefrei here are the screenshots:


I was using Google Compute before. I have tried again with DO, but no luck…


(Felix Freiberger) #7

You just pasted your sparkpost password :sadpanda:

Please change that password as immediately.


(Felix Freiberger) #8

In the meantime, it looks like @cpradio was right in suspecting a DNS problem. I get SERVFAIL when resolving your hostname – both with and without the WWW.


#9

@fefrei Oops have corrected it. Should I try re-issuing the certificate or should I try fixing the DNS records?


(Felix Freiberger) #10

DNS should be your first priority – as long as this is broken, your server doesn’t even have a chance to present any SSL certificate :slight_smile:


#11

Hmm, the only A record I have is pointed to the DO droplet. I will try with Namecheap support and report back. Thank you guys!\


(cpradio) #12

I’m still wondering if your A Record is only handling www. What is the URL Redirect Record handling?

Because if the URL Redirect Record is redirecting to https://yourhost.com, and your A Record is only supporting www., then you are correct that nothing knows how to support it.

I have 2 A records with my setup, one for non-www and one for www.


#13

@cpradio the URL redirect record is pointed to http://www.hostname.com (unmasked) and the host value is ‘@’. Is that ok?


(cpradio) #14

So you are trying to use HTTPS but are redirecting traffic to HTTP? That redirect will definitely need to be HTTPS if you want to enforce HTTPS.

Also, since you are using @, that should cover the second A record (I think, the one for non-www)


#15

@cpradio thanks but unfortunately thats not solving the issue. When I check the ssl certificate, it is not giving off any errors. Discourse is running from what I see in the logs, but it doesn’t show up on the hostname or IP.

One thing that I noticed was I don’t have these two files:
/etc/nginx/conf.d/discourse.conf
and
/var/www/discourse/config/discourse.conf

Could that be connected?


(cpradio) #16

Wait, are you running other sites on the machine hosting Discourse too? If you aren’t, you don’t need web.socketed.template.yml, if you are, did you check the nginx configuration (or whatever HTTP server you are using) on the actual server to verify it is permitting HTTPS to pass through to Discourse?

These would be inside the container. Did you run ./launcher enter app before searching for those configuration files?


#17

@cpradio no I am only running discourse and am not using the socket template. The strange thing is that my other domains work using the SSL with the exact same settings. I am trying with Namecheap support but its a weird bug - one SSL domain resolves using the same settings while another does not.

Thanks for your help!


#18

I solved the issue by removing the url redirect. The bare redirect was creating a loop due to nginx. Hope this helps someone in future.

A big thank you to @cpradio and @fefrei for their help!