Test for valid cert to enable force_https is broken, leaving it off when it should be on

Edit: changing this to a bug. Force_https is now off on sites where it used to be on and that breaks things.


I spent a while debugging a site where “uploads don’t work”. After going through a litany of obvious things (rebuild, safe-mode, consider non-standard plugins), I finally noticed a mixed-content warning and turned on force_https, and we’re back in business.

I thought that at some time a year or two ago that force_https was on by default, but a few times recently I’ve heard of (or perhaps seen) that things were broken because force_https wasn’t turned on.

Is there a reason not to have it on by default?
[/quote]

I spent a while debugging a site where “uploads don’t work”. After going through a litany of obvious things (rebuild, safe-mode, consider non-standard plugins), I finally noticed a mixed-content warning and turned on force_https, and we’re back in business.

I thought that at some time a year or two ago that force_https was on by default, but a few times recently I’ve heard of (or perhaps seen) that things were broken because force_https wasn’t turned on.

Is there a reason not to have it on by default?

1 Like

It’s automatically enabled in discourse.conf if a valid certificate is present.
That is indeed since a year or two ago.

grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"

1 Like

Aha! Thanks, Richard.

So I’m not going crazy

So the issue is that the test for a valid cert is failing:

# openssl verify -CAfile ca.cer fullchain.cer 
O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error fullchain.cer: verification failed

And then, if I remove mozilla/DST_Root_CA_X3.crt from /etc/ca-certificates.conf and update-ca-certificates, I then get this:

C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error fullchain.cer: verification failed

It shows up fine in the browser. And I just rebuilt this container today (so it should have the updated root certs).

I don’t know enough about this cert stuff to know just what’s up with that. I can curl a let’s encrypt certificate from inside the container (a test that was failing on a WordPress container I was working with last week).

And it’s not just me this time, there have been a few people fixing things by turning on force_https recently.

1 Like

Yes, this sounds related to the LetsEncrypt root cert expiration, especially/only when this started after Friday last week.

What does openssl version say (within the docker container) ? (Because of this).

2 Likes
OpenSSL 1.1.1d  10 Sep 2019

So maybe it needs “ISRG Root X1 in trust store”? but I see mozilla/ISRG_Root_X1.crt in ca-certificates.conf.

1 Like

OMG. ANd I spent two days debugging an issue that I thought was some intricate issue with Rails and Ansible and Python, but turned out to be that my server that used to have force_https turned on , doesn’t now, and a bunch of requests were made to http://myserver rather than https://myserver.

This does seem like a bug.

2 Likes

Yes, this indeed is a bug.

We were moving a forum to another server last week and we ran into the LetsEncrypt reissuance limit (max 5 per week for the same hostname). At first we had no idea why but this bug caused the certificate to be reissued on every build and after five times it ran into the rate limit. That didn’t ring any alarms because the previous certificate was still on the server.

Until we moved the forum to a new server. Then we did not get a fresh certificate. We could copy it from the old server but we never realized what caused it.

acme.sh is pinned to 2.9.0 whilst master is at 3.0.1 and has a feature for setting a default chain, which I suspect might be related.

3 Likes

Hey @Falco. Do you want to take a look at this? You seem to be well versed in these matters. I’ve poked at this for several hours over the past week or two and still don’t understand what’s going on.

1 Like

Yes, I assigned it to me over the weekend. It’s an extended holiday weekend here, but I will take a look this week as soon as possible.

2 Likes

Aha. That’s the part I missed. Sorry to have bothered you then.

Our extended holiday weekend just ended, and Our Lady of Aparecida’s day wasn’t on my calendar. But now I know.

Thanks.

2 Likes