SSL working on root, but not on www


(Ruxan) #1

Ive completed lentsencrypt setup and its working good…

but problem is, everything is ok until i try with www

msg is “this server is not secured”

how can i fix this?


Problem in installing Let's Encrypt SSL for www and non-www
(Dion Beukes) #2

hi, when you created your certificate, did you list all your domains you have on there? When you create a certificate with letsencrypt you need to list all your domains and subdomains on there that you want the certificate to be valid for. for example, … example.com is regarded as the root domain, and www is regarded as a subdomain, therefore you need to list when you create the certificate example.com, www.example.com, shop.example.com etc, I guess you did not set www.???.??? on your certificate when you created it, and so the certificate is invalid for the subdomain www.


(Ruxan) #3

can i require new cert, this time adding and www?

when i go acme.sh i can see example.com and www.example.com

problem is, also when typing www.example.com i got redirected to example.com

i still didnt checked force ssl


(Dion Beukes) #4

how do you host your discourse instance? how is your server set up?


(Ruxan) #5

its on linux server that i bought @ vultr.com :slight_smile:

its on docker


(Dion Beukes) #6

I think it must have been when you setup your discourse in the beginning “Enter the hostname you’d like to use for Discourse” you might have selected the root of your domain in the setup and maybe thats why it throws you back to that everytime you put in www.


(Jay Pfaffman) #7

I don’t think that the letsemcrypt module supports multiple domain names, right @tgxworld?


(Ruxan) #8

well for me im ok only with www.example.com

what should i do to fix this? change hostname of discourse??


(Jay Pfaffman) #9

Right. Make the name in app.yml the name you want. It would arguably be good if you could passs let’s encrypt multiple host names, or pretend www by default, but most people run their forum on forum.example.com, so this doesn’t come up much.

You need to rebuild after you make the changes.


(Ruxan) #10

now it makes sense why im having this problem…

but i dont want discourse on subdomain, main domain is what im aiming for :smiley:

yesterday i changed hostname in app.yml from example.com to www.example.com

but after rebuild, ssl was all mad on me, probably because ssl cert is pointing on example.com ?

then i returned in app.yml to example.com and now trying to figure out what to do :slight_smile:

so, i should edit back to www.example.com, then request new certificate… now thats the problem i dont know how to do it :slight_smile:

im afraid im gonna broke what i have now …


(Jay Pfaffman) #11

You know what to do. Now you understand that the certificate must match the host name you want to use.


(Ruxan) #12

can you please, point me to the part of recert ?

i do it with acme.sh, what command :smiley:


(Jay Pfaffman) #13

Edit: I thought that you were using the Discourse Let’s Encrypt module.

If you used acme.sh, then just use it again and enter both host names as suggested below.


(Ruxan) #14

i did that, but when i tried to enter www.example.com, i got, this server is not secure, procedure…

so next logical step is to reissue certificate and enter www.example.com instead of example.com

how do i do that?

root@crypto:/var/discourse# /var/discourse/shared/standalone/letsencrypt/acme.sh --cron --home “/var/discourse/shared/standalone/letsencrypt” [Mon Jan 30 23:20:32 UTC 2017] Renew: ‘example.com
[Mon Jan 30 23:20:32 UTC 2017] Skip, Next renewal time is: Fri Mar 31 10:41:13 UTC 2017
[Mon Jan 30 23:20:32 UTC 2017] Add ‘–force’ to force to renew.
[Mon Jan 30 23:20:32 UTC 2017] Skipped example.com
[Mon Jan 30 23:20:32 UTC 2017] Renew: ‘www.example.com
[Mon Jan 30 23:20:32 UTC 2017] Skip, Next renewal time is: Fri Mar 31 18:54:09 UTC 2017
[Mon Jan 30 23:20:32 UTC 2017] Add ‘–force’ to force to renew.
[Mon Jan 30 23:20:32 UTC 2017] Skipped www.example.com

from what i can see here, it skipped www.example.com ?


(Dion Beukes) #15

do you have www in an A record on your dns? You must have a dns A record on your dns with www pointing to your ip address, some domain registrars/Zone records would automatically point www to your ip even if you don’t have www set as an A record, if that is the case it means there is a redirect, so if you put in your browser www.exmaple.com, your dns is redirecting it to you ip just on example.com, and because your server listens on port 80 and 443, any requests coming in would be served whether it was on www or example.com. Also from what I can see, with letsencrypt you need to do a new certificate issue and not a renew, with renew letsencrypt will check if the certificate you have is due for renewal if its not it will just exit and do nothing.


(Ruxan) #16

Thanks for clearing that for me, @dionbeukes

tell me, should i totaly remove ssl from app.yml and rebuild to http… then start new procedure of SSL setup.

Or there is a recert command with acme.sh ?


(Nick Research) #17

I’m following this thread and find that I have the same problem and the answers given here and elsewhere (after spending quite some time reading what’s on the forum) are really not clear to beginners like myself.

A quick description of my setup and the issue:

  1. The discourse hostname (hosted on digital oceans) is example.com
  2. It has LetsEncrypt and this works fine when going to https://example.com
  3. On my DNS (which is hosted by dreamhost) I have an A record pointed to the digital oceans IP
  4. On my DNS I also have a CNAME record for * pointed to the same IP address
  5. Until I read this post I also had DNS record for A with www pointed to the same IP address

I am having the same issue as the OP in that everything works perfectly for https://example.com and has a security warning for https://www.example.com

Is the comment from @dionbeukes saying that the problem is likely to be the A record with www causing problems?

I just want to clarify what is meant when you say “You must have a dns A record on your dns with www pointing to your ip address”.

Is that as in “you must do this” or as in “this must explain why you have a problem”?

Many thanks


(Dion Beukes) #18

Hi,

Thanks for your email, Ive not been on the forum for a while, I don’t know exactly what your problem or issue is. If you explain in detail what hapoens and what doesn’t and what you want to achieve I will reply with an answer explaining exactly what you should and shouldn’t do.


(Dion Beukes) #19

Hi,

Sorry, I read your post a few times. So your DNS is not the issue, because your subdomains and www all gets directed to the right ip address. The reason why you get a security warning for your www subdomain means the following. When a request gets directed to your server, depending on your settings, I presume you want all requests securely served. https://example.com works, but https://www.example.com gives a warning. You must list all your sub domains on letsencrypt. Either you must do a catch all meaning *.example.com etc, I don’t do that to minimise the possibility of random subdomiains getting sexurely served instead I list all of the sub domains I want securely served. www.example.com, shop.example.com etc etc, reissue your letsencrypt certificate with all the right subdomains and your warning will go away. I’m not sure if letsencrypt does a catch all certificate, rather specify each subdomain you want to be served by the same certificate. Hope my explanation is clear enough,

Please email me again if you have more issues and your solution in the end.


(Jay Pfaffman) #20

Did you enable let’s encrypt in app.yml or did you run it yourself?