Using Letsencrypt SSL in multi-site setup

(Hammad Abbasi) #1


I am not sure if it has been discussed before, but i am having troubles in setting up letsencrypt SSL in multi-site configuration. It works for main domain but not the second ( so i want to know if there’s any way that i can use this settings in multi-site Mode )

Any help would be appreciated. Thanks

(Hammad Abbasi) #2

How can i append another domain in “web.ssl.template.yml”

 rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent;

I have tried defining another env variable for another domain but i have no clue how to request multi-domain certificate using this template.

(Jeff Atwood) #3

Any advice here @tgxworld?

(Jay Pfaffman) #4

As I pointed out over here it seems that the Multisite documentation is out of date. This would be a good thing to get included in an updated HOWTO.

(Alan Tan) #5

I can add support for this next week. I just have to update the template to take in a list of domains.

(Hammad Abbasi) #6

That’d be great! Thank you so much

(Alan Tan) #7

Lol I was so wrong about the “just” update the template. The web.ssl templates will have to be updated to support multisite as well.

(Hammad Abbasi) #8

How long do you think it may take ?

(Hammad Abbasi) #9

@tgxworld is there any update or ETA ?

(Robert) #10

I am interested as well!

(Alan Tan) #11

Hi there is currently no ETA on this but it shouldn’t be hard for you to manually run the Let’s Encrypt client once to issue the cert for multiple sites if it is urgent.

(Hammad Abbasi) #12

Thanks for the response, Will there any changes in app.yml, do i still need to include web.ssl.* templates ?

(Robert) #13

I got it working thanks to:

It is so easy, that I would de-encourage to carry out complicated, heavy modifications to the existing lets encrypt setup. It’s maybe not worth it.

Prepare Discourse Container

In your app.yml, make these changes:

Only expose port 80:

- "80"   # fwd host port 80   to container port 80 (http)

In the env: section, add the latter 3 new lines:

  DISCOURSE_HOSTNAME: 'forum.domain1.tld'
  VIRTUAL_HOST: 'forum.domain1.tld,forum.domain2.tld'
  LETSENCRYPT_HOST: 'forum.domain1.tld,forum.domain2.tld'
  LETSENCRYPT_EMAIL: 'your_mailbox@mydomain.tld'

Then run ./launer rebuild app

Setup Nginx Proxy with letsencrypt companion

Then use GitHub - JrCs/docker-letsencrypt-nginx-proxy-companion: LetsEncrypt companion container for nginx-proxy to setup a separate container with nginx and another one caring for the certificates

docker run --name nginx-proxy \
  -p 80:80 -p 443:443 \
  -v /var/discourse/certs:/etc/nginx/certs:ro \
  -v /etc/nginx/vhost.d \
  -v /usr/share/nginx/html \
  -v /var/run/docker.sock:/tmp/docker.sock:ro \
  --restart=always \
  --detach jwilder/nginx-proxy
docker run --name letsencrypt-companion \
  -v /var/discourse/certs:/etc/nginx/certs:rw \
  --volumes-from nginx-proxy \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --restart=always \
  --detach jrcs/letsencrypt-nginx-proxy-companion

To store the certificates in /var/discourse/certs has been my choice. Normally, it should just work. If not, try to restart the Discourse container with ./launcher restart app.

How it works

The nginx container receives listens on 80/443 and sends requests based on the host to the docker container with the according environment variable called VIRTUAL_HOST.

The 2nd docker container also evaluates the docker container environment variables and ensures to catch periodically the certificates.

(Hammad Abbasi) #14

Many thanks for sharing but i am a little hesitant in using nginx proxy and I need more time to investigate if this is a right way for us, I would appreciate if you can share your experience- are there any known issues with this setup ?

(Robert) #15

I have two totally unrelated Discourse projects running with this setup and it worked directly.

(Hammad Abbasi) #16

I have 4 sites for now and may add more later so i don’t want to complicate my install as mentioned here Setting up Let’s Encrypt for multisite

(Robert) #17

I ran into issues due to the maximum upload file size constraint of the proxy nginx. Fortunately, the [docker nginx-proxy readme][readme] provides an advice here:

FROM jwilder/nginx-proxy
echo ‘server_tokens off;’;
echo ‘client_max_body_size 100m;’;
} > /etc/nginx/conf.d/my_proxy.conf

> Or it can be done by mounting in your custom configuration in your docker run command:
> `$ docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy`


(Bernhard Fürst) #18

I’m running the Nginx Proxy with LetsEncrypt companion setup since many months now without problems. Nginx as a proxy is a well proofed concept in my opinion. The LetsEncrypt companion updates the SSL certificates completely automatically. I never need to take care of SSL configuration in Docker containers.

I do not see any drawbacks in this approach.

(Bernhard Fürst) #19

You may switch (temporarily) from jrcs/docker-letsencrypt-nginx-proxy-companion to alastaircoote/docker-letsencrypt-nginx-proxy-companion/ because Let’s Encrypt did change their API and jrcs did not upgrade to that changes yet.

See DeserializationError: Deserialization error: Wrong directory fields · Issue #130 · JrCs/docker-letsencrypt-nginx-proxy-companion · GitHub for details.

(Robert) #20

What happens if we don’t? We won’t find our certificate updates (which is the main purpose of the companion)? In that case, that’s a critical thing that deserves a much louder warning I guess. :warning: :rotating_light: