SSL working on root, but not on www

You know what to do. Now you understand that the certificate must match the host name you want to use.

can you please, point me to the part of recert ?

i do it with acme.sh, what command :smiley:

Edit: I thought that you were using the Discourse Let’s Encrypt module.

If you used acme.sh, then just use it again and enter both host names as suggested below.

i did that, but when i tried to enter www.example.com, i got, this server is not secure, procedure…

so next logical step is to reissue certificate and enter www.example.com instead of example.com

how do i do that?

root@crypto:/var/discourse# /var/discourse/shared/standalone/letsencrypt/acme.sh --cron --home “/var/discourse/shared/standalone/letsencrypt” [Mon Jan 30 23:20:32 UTC 2017] Renew: ‘example.com
[Mon Jan 30 23:20:32 UTC 2017] Skip, Next renewal time is: Fri Mar 31 10:41:13 UTC 2017
[Mon Jan 30 23:20:32 UTC 2017] Add ‘–force’ to force to renew.
[Mon Jan 30 23:20:32 UTC 2017] Skipped example.com
[Mon Jan 30 23:20:32 UTC 2017] Renew: ‘www.example.com
[Mon Jan 30 23:20:32 UTC 2017] Skip, Next renewal time is: Fri Mar 31 18:54:09 UTC 2017
[Mon Jan 30 23:20:32 UTC 2017] Add ‘–force’ to force to renew.
[Mon Jan 30 23:20:32 UTC 2017] Skipped www.example.com

from what i can see here, it skipped www.example.com ?

do you have www in an A record on your dns? You must have a dns A record on your dns with www pointing to your ip address, some domain registrars/Zone records would automatically point www to your ip even if you don’t have www set as an A record, if that is the case it means there is a redirect, so if you put in your browser www.exmaple.com, your dns is redirecting it to you ip just on example.com, and because your server listens on port 80 and 443, any requests coming in would be served whether it was on www or example.com. Also from what I can see, with letsencrypt you need to do a new certificate issue and not a renew, with renew letsencrypt will check if the certificate you have is due for renewal if its not it will just exit and do nothing.

1 Like

Thanks for clearing that for me, @dionbeukes

tell me, should i totaly remove ssl from app.yml and rebuild to http… then start new procedure of SSL setup.

Or there is a recert command with acme.sh ?

I’m following this thread and find that I have the same problem and the answers given here and elsewhere (after spending quite some time reading what’s on the forum) are really not clear to beginners like myself.

A quick description of my setup and the issue:

  1. The discourse hostname (hosted on digital oceans) is example.com
  2. It has LetsEncrypt and this works fine when going to https://example.com
  3. On my DNS (which is hosted by dreamhost) I have an A record pointed to the digital oceans IP
  4. On my DNS I also have a CNAME record for * pointed to the same IP address
  5. Until I read this post I also had DNS record for A with www pointed to the same IP address

I am having the same issue as the OP in that everything works perfectly for https://example.com and has a security warning for https://www.example.com

Is the comment from @dionbeukes saying that the problem is likely to be the A record with www causing problems?

I just want to clarify what is meant when you say “You must have a dns A record on your dns with www pointing to your ip address”.

Is that as in “you must do this” or as in “this must explain why you have a problem”?

Many thanks

2 Likes

Hi,

Thanks for your email, Ive not been on the forum for a while, I don’t know exactly what your problem or issue is. If you explain in detail what hapoens and what doesn’t and what you want to achieve I will reply with an answer explaining exactly what you should and shouldn’t do.

Hi,

Sorry, I read your post a few times. So your DNS is not the issue, because your subdomains and www all gets directed to the right ip address. The reason why you get a security warning for your www subdomain means the following. When a request gets directed to your server, depending on your settings, I presume you want all requests securely served. https://example.com works, but https://www.example.com gives a warning. You must list all your sub domains on letsencrypt. Either you must do a catch all meaning *.example.com etc, I don’t do that to minimise the possibility of random subdomiains getting sexurely served instead I list all of the sub domains I want securely served. www.example.com, shop.example.com etc etc, reissue your letsencrypt certificate with all the right subdomains and your warning will go away. I’m not sure if letsencrypt does a catch all certificate, rather specify each subdomain you want to be served by the same certificate. Hope my explanation is clear enough,

Please email me again if you have more issues and your solution in the end.

Did you enable let’s encrypt in app.yml or did you run it yourself?

I did it through app.yml

It now seems to be working. The issue I think was that I had an A record for the subdomain www (as in www.example.com) instead of using a CNAME record. For anyone reading this in future, the right config seems to be:

  1. An A record pointing to the IP address of your host (e.g. Digital Oceans droplet)
  2. A CNAME record with * pointing to example.com (and NOT www.example.com)

With this setup the letsencrypt through app.yml works a treat. Thanks all

5 Likes

Hi ,
@ Nick Research
I have exactly same problem.

Can you explain the solution ? What must i do ?

Thank you in advance.

1 Like

Hi @ufukayyildiz I’m not sure how to answer your question–look through the thread at my previous post describing my setup, and then this post with the changes to that.

Where are you up to? What errors are you getting?

If you give some more information then I might be able to help you.

Setting up Let’s Encrypt with Multiple Domains does sort-of what you want it to do. You’ll need to make some modifications. There was a another topic on the same issue recently.

1 Like

Thank you Nick,

When i install discourse i only entered my domain without www. So www version has no certificate. Now i want to add certificate to www version too. But i am not sure how can do this exactly.

Thank you.

With my setup my issue was not with the letsencrypt certificate, but rather with the way that my DNS records were setup. That’s what makes troubleshooting hard, because your DNS, your letencrypt and your app.yml all need to be aligned to make this work.

My understanding is that to “make www. work” there are two options:

(1) is to make sure that your letsencrypt works for the subdomain so that people can access your site through https://www.yoursite.com - this is probably ideal, but I never got this working. See responses from @pfaffman and @dionbeukes and ignore mine if this is what you are after.

(2) is more simple which is to setup the DNS for your site so that anyone typing in the www.yousite.com simply gets taken to the https://yoursite.com automatically–they won’t get any security warnings.

You do this through your DNS (e.g., in your host provider) by making sure that you have a CNAME record for yoursite.com but not www.yoursite.com

1 Like

This is almost always going to break your entire domain. For this to do the Right Thing your DNS server has to do CNAME flattening.

4 Likes

I’m glad you know what’s going on.

I probably need the disclaimer that my posts are simply what worked for me with this issue, where my setup is digital oceans server and dreamhost domain management with their one click let’s encrypt cert.

I’m definitely no expert on this!

Setting up Let’s Encrypt with Multiple Domains is a solution for this.

3 Likes