SSL install confusion


(Alex "Rota" Freeman) #1

Hello, I’m new to discourse as well as ubuntu, but have Unix experience. I have been able to successfully install and configure Discourse on the system, but am stuck trying to get my SSL certs installed.


The link above has some confusing text and I’m left with a log telling me that the ssl.crt can not be found.

My confusion is where in the /var/discourse/ directory should these certs go?

My confusion started with the line at “Configure NGINX” where it says “Add a reference to the nginx ssl template from your app.yml configuration file:” I do not know what this means.

I believe this is where my process breaks down. Is there a conf file some where that needs to be linked to the app.yml ?

Trouble shooting I tried adding the certs in /shared/ssl/ directories all over the place. like:
/var/discourse/shared/ssl/
/var/discourse/containers/shared/ssl
/var/discourse/shared/standalone/ssl
I get an fopen error about /shared/ssl/ssl.crt

I created ssl.crt and ssl.key using cat and placed them in the dirs above with no success.

Any help is welcome. I’ve google around this and am still stuck.

Thanks,
-Alex


(Jay Pfaffman) #2

The easiest way to get SSL is to use Let’s Encrypt. The standard install script will do all the work for you, though it does require a bit of care and feeding to maintain. (That is, you need to ./launcher rebuild app at least once a quarter to get a new cert.) If you’re doing a new install, just delete containers/app.yml, run ./discourse-setup and give it an email address when it asks for the letsencrypt_account_email.

@sam, perhaps that HOWTO should have a note at the top that Let’s Encrypte is probably easier for most folks.

If you started by running ./discourse-setup then it created /var/discourse/containers/app.yml. You need to edit it to enable the ssl template, though if you’re getting an error about not being able to find the certs, then you have apparently done that.

If you have certs that you have paid for and want to use, then you need to get the right .key and .crt files generated using whatever instructions your cert provider gives you. Then you stick them in /var/discourse/shared/standalone/ssl.


#3

You just have to place the crt and the key in : /var/discourse/shared/standalone/ssl/ (the first time, you’ll have to create the ssl folder), only there.

Edit the app.yml, adding the lines - "templates/web.ssl.template.yml" and - "443:443" at the right spot. During the ./launcher rebuild app it will be a bit longer than usual.

If you bought your cert in namecheap, there is a ca_bundle to concatenate, I explained the process here


(Alex "Rota" Freeman) #4

Thanks Steven and Sam,

It’s working better, but now I get the “NET::ERR_CERT_COMMON_NAME_INVALID” which I think is unrelated to docker or discourse. :slight_smile:

Thanks again!
-Alex the Rota

Hm. Other than the cert error, I can no longer log in to my discourse site. When I click login it refreshes the page. Seems related to the last thing I did. I was able to login as expected before installing the certs. I may need to open a new ticket, but I feel like this is related to this ticket.

It’s the unconfigured SSO plugin! Derp!


(Felix Freiberger) #5

If your’re still fighting this, simply visit /users/admin-login to log in as an admin via mail.


(Alex "Rota" Freeman) #6

Hi Felix.

I did have a moment of panic and fearful dread that I might need to do the install again :wink: But seriously, that login worked like a charm. Let me tell you working with vBulletin and overcoming the same issue would have been a lot more complicated, if that software actually had SSO capacity anyway…

Thanks for the tip, I hope it helps anyone else who can not log in to their Discourse admin account. :slight_smile:

All the best,
-Alex the Rota


(ljpp) #7

I’ve been following the Let’s Encrypt discussion for some time, but never fully understood the cert renewal issues people are having. Are you saying that the renewal issues only concern the automatic renewal, but manual renewal via ./launcher rebuild is working at 100%?


(Jay Pfaffman) #8

I believe that is true, @tgxworld?


(Alan Tan) #9

Nope this isn’t true. There is a cron job installed which handles the cert renewal process.


(ljpp) #10

This wasn’t the question.

What I asked was regarding the reliability of cert renewal during a ./launcher rebuild process? There seems to be some random issues with the automatic cron job solution, so I want to confirm whether this manual approach is 100% reliable.


(Alan Tan) #11

Hmm I should have quoted @pfaffman.

The reliability of the above is now the same as the reliability of the the cron job that renews the cert.