Using Letsencrypt SSL in multi-site setup


(Bernhard Fürst) #21

That’s right. If you don’t switch to alastaircoote’s image your existing certificates don’t get updates as well as new virtual hosts (in context of nginx-proxy) do not get certificates at all.


(Robert) #22

For the record: the changes have been merged and the two maintainers recommend to use the jrcs repo.


(Shirjeel Alam) #23

Hi Guo, any update on this?


#24

@rriemann is this still working? I tried but it was not working due to some errors.

@tgxworld is there a timeline for this to be supported officially?


(Robert) #25

Yes, it is working. Have you tried to follow our guide?


#26

After multiple trials & errors, I finally managed to get it working thanks to @rriemann’s post. Turned out previous errors were all due to personal mistakes. I can confirm that the steps & commands listed in the post still working today. Thank you!


(Thiago Machado Da Silva) #27

Hi rriemann, I’m trying to follow your guide but I’m new into discourse/docker/server configurations and couldn’t make it work.

Could you show your multisite app.yml configuration file?

I think mine is wrong:
(could access http://en.ancap.ch - which is a brand new discourse setup - but not https://br.ancap.ch - which is a ssl+let’s encrypt discourse setup - but after that failure I returned to my old single website https://br.ancap.ch)

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
##  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml" # tried to remove, also sisn't work
 
expose:
  - "80"   # http

params:
  db_default_text_search_config: "pg_catalog.english"
  db_shared_buffers: "128MB"

env:
  LANG: en_US.UTF-8
  UNICORN_WORKERS: 2

  DISCOURSE_HOSTNAME: br.ancap.ch
  VIRTUAL_HOST: 'br.ancap.ch,en.ancap.ch'
  LETSENCRYPT_HOST: 'br.ancap.ch,en.ancap.ch'
  LETSENCRYPT_EMAIL: 'swfsql@gmail.com'
  LETSENCRYPT_ACCOUNT_EMAIL: 'swfsql@gmail.com'
  
  DISCOURSE_DEVELOPER_EMAILS: 'swfsql@gmail.com'
  ## 
  DISCOURSE_SMTP_ADDRESS: xxxxxxxxxx
  DISCOURSE_SMTP_PORT: xxxx
  DISCOURSE_SMTP_USER_NAME: xxxxxxxxxxxxxxx
  DISCOURSE_SMTP_PASSWORD: xxxxxxxxxxxxxxx

volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

hooks:
  after_postgres:
     - exec: sudo -u postgres createdb en_discourse || exit 0
     - exec:
          stdin: |
            grant all privileges on database en_discourse to discourse;
          cmd: sudo -u postgres psql en_discourse
          raise_on_fail: false

     - exec: /bin/bash -c 'sudo -u postgres psql en_discourse <<< "alter schema public owner to discourse;"'
     - exec: /bin/bash -c 'sudo -u postgres psql en_discourse <<< "create extension if not exists hstore;"'
     - exec: /bin/bash -c 'sudo -u postgres psql en_discourse <<< "create extension if not exists pg_trgm;"'

  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - mkdir -p plugins
          - git clone https://github.com/discourse/docker_manager.git

  before_bundle_exec:
    - file:
        path: $home/config/multisite.yml
        contents: |
         secondsite:
           adapter: postgresql
           database: en_discourse
           pool: 25
           timeout: 5000
           db_id: 2
           host_names:
             - en.ancap.ch

  after_bundle_exec:
    - exec: cd /var/www/discourse && sudo -E -u discourse bundle exec rake multisite:migrate

run:
  - exec: echo "Beginning of custom commands"
  - exec: echo "End of custom commands"

I’ve read that letsencrypt should be setup at the host instead of my discourse docker. So i must remove everything related to ssl/letsencrypt in br.ancap.ch before following your guide?

Also, when I tried to access en.ancap.ch, only http worked (not https), would you know why?

Thanks in advance.


(Rafael dos Santos Silva) #28

Fala @swfsql,

Try to follow the #howto: Setting up Let’s Encrypt with Multiple Domains


(Robert) #29

There are the important lines from my app.yml file:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
#  - "templates/web.ssl.template.yml"
#  - "templates/web.letsencrypt.ssl.template.yml"
 
## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80"
#  - "80:80"   # http
#  - "443:443" # https

env:

  ## TODO: The domain name this Discourse instance will respond to
  DISCOURSE_HOSTNAME: first.forum.com
  VIRTUAL_HOST: 'first.forum.com,second.forum.com'
  LETSENCRYPT_HOST: 'first.forum.com,second.forum.com'
  LETSENCRYPT_EMAIL: 'postmaster@my-mail.com'

Once discourse is running, I run:

 docker run --name nginx-proxy -p 80:80 -p 443:443 -v /var/discourse/host_nginx.conf:/etc/nginx/conf.d/host_nginx.conf:ro -v /var/discourse/certs:/etc/nginx/certs:ro   -v /etc/nginx/vhost.d   -v /usr/share/nginx/html   -v /var/run/docker.sock:/tmp/docker.sock:ro   --restart=always   --detach jwilder/nginx-proxy


docker run --name letsencrypt-companion   -v /var/discourse/certs:/etc/nginx/certs:rw   --volumes-from nginx-proxy   -v /var/run/docker.sock:/var/run/docker.sock:ro   --restart=always   --detach jrcs/letsencrypt-nginx-proxy-companion

(Thiago Machado Da Silva) #30

E ae Rafael! Hey Robert!

You guys explained and pointed perfectly, turns out the let’s wasn’t working because my root domain wasn’t registered as an domain at all!

So adding

worked, after following your instructions! (I was trying the Rafael links, but the Robert’s one, tried previously, outputted the same problem)

Cheers, guys! um abraço!


(S) #31

hi @rriemann

This is exactly what I am trying to get going!

Do you mind sharing content of your ‘host_nginx.conf’ (/var/discourse/host_nginx.conf:/etc/nginx/conf.d/host_nginx.conf)

thanks!


(Robert) #32

My host_nginx.conf file is surprisingly short!

client_max_body_size 5m;

Best,
Robert