SSL Problems with Facebook-Auth


(Daniel Nevoigt) #1

Hello at all,

I am getting problems with Facebook-Auth for my discourse installation. I have setup everything like in tutorials said, facebook app also setup with everything needed. When clicking on register and chosing facebook the following error comes:

Than, when clicking ok, I get following notice from my discourse installation:

Means: Sorry, there was an error auth your account. Did you perhaps deny authorisation?

The installation is completely running on ssl, I don´t know how it can be possible that facebook is crying about insecure connection. When adding google auth I had the same issue, but at google I could set http for the callback adress and it worked. So there is somehow a problem with my configuration I guess, but I don´t know where and what I can do…
Discourse is running as docker image on a Ubuntu 16.04 system, Let´s Encrypt SSL Cert.

I would be really happy if someone could help me with that problem.

Thanks a lot in advance.
Daniel


(Frederik) #2

Did you specify https in the facebook settings?

So all links back to your forum is using: https://


(Daniel Nevoigt) #3

Yes, just checked again, all links are using https://


(Daniel Nevoigt) #4

When going through admin error logs, I can see following error:

I don´t think it has to do with actuall arror, but better post it.

EDIT ++ additional info:


(Joshua Rosenfeld) #5

Have you enabled force https in site settings?


(Daniel Nevoigt) #6

Yes, it is also enabled.
EDIT:

Well, now I logged my Admin Account off which was logged in since yesterday when I was activating that force https. I wanted to try registration via Facebook with other brwoser. Still does not work, also now I cannot login the admin anymore. When trying to login I get redirected to forum without ssl and nothing happens when using Firefox, with Internet Explorer and Chrome it says: Unknown Error


(Daniel Nevoigt) #7

Ok, so to regain access I had to disable force https in rails settings.
Now I am at starting point. Is anyone able to help with that problem?


(Daniel Nevoigt) #8

I have now also problems with mixed content warnings and the preview of editor is not working because of that, when using https. Well, following I will write again everything I have spotted with that installation, in hope someone is willing to help me out.

  • Discourse is running in a Docker container
  • In plesk I enabled Let´s Encrypt + force redirect 301 http to https
  • In admin force https is not working, after that I cannot login anymore
  • When on https preview of editor is not working because he wants to load scripts from insecured connections
  • Facebook login/register also does not work, comes with above posted error because it probably loads something with http
  • Docker proxy rule is set up

My app.yml looks like that:

## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
#  - "templates/web.ssl.template.yml"
#  - "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "7900:80"   # http

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  #db_shared_buffers: "256MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  #UNICORN_WORKERS: 3

  ## TODO: The domain name this Discourse instance will respond to
  DISCOURSE_HOSTNAME: 'my.forum.url'

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'user1@example.com'
  LETSENCRYPT_ACCOUNT_EMAIL: 'user1@example.com'

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  DISCOURSE_SMTP_ADDRESS: "my.ip.address"         # required
  DISCOURSE_SMTP_PORT: 25                        # (optional, default 587)
  DISCOURSE_SMTP_USER_NAME: "my.email.address"      # required
  DISCOURSE_SMTP_PASSWORD: "my.password"               # required, WARNING the char '#' in pw can cause problems!
  DISCOURSE_SMTP_ENABLE_START_TLS: false           # (optional, default true)

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: me@example.com

  ## The CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: //discourse-cdn.example.com

## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/davidtaylorhq/discourse-whos-online.git
          - git clone https://github.com/discourse/discourse-solved.git
          - git clone https://github.com/gdpelican/babble.git
          - git clone https://github.com/discourse/discourse-staff-notes.git
          - git clone https://github.com/angusmcleod/discourse-events.git

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
  - exec: echo "End of custom commands"

So, thats everything I know :slight_smile: Please help me to get it running with SSL finally. I think that also should fix up the problem with Facebook Auth…

Again thank you very much in advance!
Daniel


(Felix Freiberger) #9

So there is a proxy in front of Discourse? Which headers are you passing to Discourse?


(Daniel Nevoigt) #10

@fefrei I have not setup that installation, could you please tell me, where I can see which headers I am passing to Discourse?


(Felix Freiberger) #11

Is Nginx installed and running on your server (outside of Discourse’s container)? If not, can you find out which process is listening on ports 80 and 443?


(Daniel Nevoigt) #12

When I remember right my friend told me he had installed nginx inside, because there was a problem outside plesk related, but I am not sure atm.
The following stuff I could find out:

/var/discourse/templates$ lsof -i :80
COMMAND     PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
docker-pr 48583  root    6u  IPv4 5498423      0t0  TCP 172.17.0.1:44224->172.17.0.2:http (ESTABLISHED)
docker-pr 48583  root    9u  IPv4 5498435      0t0  TCP 172.17.0.1:44230->172.17.0.2:http (ESTABLISHED)
nginx     52743 nginx   41u  IPv4 3791715      0t0  TCP server.***.com:http (LISTEN)
nginx     55224  root   41u  IPv4 3791715      0t0  TCP server.***.com:http (LISTEN)
/var/discourse/templates$ lsof -i :443
COMMAND    PID           USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
gunicorn 29738 allianceserver   17u  IPv4 4963001      0t0  TCP server.***.com:36378->164.214.186.35.bc.googleusercontent.com:https (CLOSE_WAIT)
gunicorn 29740 allianceserver   19u  IPv4 4963090      0t0  TCP server.***.com:36440->164.214.186.35.bc.googleusercontent.com:https (CLOSE_WAIT)
celery   29748 allianceserver   14u  IPv4 5485875      0t0  TCP server.***.com:51096->164.214.186.35.bc.googleusercontent.com:https (CLOSE_WAIT)
nginx    52743          nginx    4u  IPv4 5470918      0t0  TCP server.***.com:https->p2E568B87.dip0.t-ipconnect.de:57289 (ESTABLISHED)
nginx    52743          nginx   40u  IPv4 3791714      0t0  TCP server.***.com:https (LISTEN)
nginx    52743          nginx   48u  IPv4 5472043      0t0  TCP server.***.com:https->p2E568B87.dip0.t-ipconnect.de:57325 (ESTABLISHED)
nginx    55224           root   40u  IPv4 3791714      0t0  TCP server.9***.com:https (LISTEN)

Allianceserver is a software called Alliance Auth for Eve Online, which is like an authentication service for players, to login with the ingame accounts. Hope that helps.


(Daniel Nevoigt) #13

Well, I was trying the last days, and reading and learning :slight_smile:
I did understand that running Discourse in a Plesk Environment is a bit tricky, so the people say. To be honest, I could not rebuild that install I have actually on my server. But I have more information and the right ones, I hope at least.

(When trying to rebuild that install on a local test environment I allways ended up in a 502 Bad Gateway response from Nginx, so I am still missing one point my mate was doing when setting it up. I can reach the working installation when entering the domain or ip + :(Port), but when enabling the Plesk Nginx Proxy Setting, I get those errors.)

Well, thats not the point for that theme, here I am trying to set up that running environment using ssl without errors.

So as mentioned above we have:

expose:
  - "7900:80"   # http

But why was he not exposing the https port too?
The second question is about the templaes called in app.yml.

#  - "templates/web.ssl.template.yml"
#  - "templates/web.letsencrypt.ssl.template.yml"

Both are outcommented, why?

My question now is, what happens when I expose the https port too? For example:

expose:
  - "7900:80"   # http
  - "9443:443"   # https

Than as second option, enable those ssl templates and rebuild the app. What will I get out of that? Will that work for me? To remember, I had ssl working, but I could not activate force https in admin, + I got errors from mixed content, preview of editor was not working, either the auth callbacks for google and facebook.

Please, could someone point me to the right direction? I also don´t want to try end error on that installation, as it is working for me without ssl.

Cheers, Dan