Why is the Apple Touch Icon loaded via HTTP instead of HTTPS?

support
21

Worth a shot, thanks!

22

Iā€™ve added -d WWW.community.example.com but https://www.community.example.com still doesnā€™t redirect in FF.

This is what I get in FF:

SSL_ERROR_BAD_CERT_DOMAIN

www.community.example.com uses an invalid security certificate.

The certificate is only valid for community.example.com.

Unable to communicate securely with peer: requested domain name does not match the serverā€™s certificate.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

23

The certificate should list all the domains you have included, can you see them? Perhaps the certificate is not being recreated with the list of domains when you rebuild? Follow the debugging instructions in Setting up HTTPS support with Letā€™s Encrypt

1 Like
24

1. For ./launcher logs app I can see:

www.example.com:Verify error:DNS problem: NXDOMAIN looking up A for www.example.com

(thatā€™s for the root, not for the discourse install, which is under www.community.example.com)

And also:

Reload error for : Started runsvdir, PID is 326
ssyslogd: command 'KLogPermitNonKernelFacility' is currently not permitted

Domains not changed.
Add '--force' to force to renew.
Installing key to:/shared/ssl/comunity.example.com.key
Run reload cmd: sv reload nginx

2. For ls -l /var/discourse/shared/standalone/ssl I get:

total 8
-rw-r--r-- 1 ubuntu root 3924 Dec 18 03:56 community.example.com.cer
-rw------- 1 ubuntu root 3247 Dec 18 04:24 community.example.com.key

Should I try and manually reissue the cert following instructions here Setting up HTTPS support with Let's Encrypt?

25

Hours laterā€¦ tried pretty much everything and I still canā€™t get it to work.

In case I do have a breakthrough, I will update thread for future reference.

26

Yes, you should be expecting to get one certificate containing multiple entries in the Subject Alternative Name field.

From Setting up HTTPS support with Letā€™s Encrypt:

If you delete those two directories before rebuilding the container you can be sure that it will get fresh certificates when you rebuild.

2 Likes
29

Thanks! Yes, I always removed the old cert files before rebuilding with no success.

Just woke up now so Iā€™m ready for another 12 hours of research, until I get to the bottom of this. I am starting everything from scratch on a new Lightsail instance.

Will update on the first bump.

30

UPDATE: I managed to make the www version on FF secure as well. All I did was remove the root domain (the one without the forum install) from the list: -d example.com -d www.example.com and all I have left is the actual forum -d community.example.com -d www.community.example.com. Not sure why that helped to be honest.

NEW ISSUE: Now Iā€™ve got two different websites: the www doesnā€™t redirect to the non-www version like it did before for whatever reason.

31

Fixed by adding this 301 redirect to my app.yml hooks section:

- file:
    path: /etc/nginx/conf.d/discourse_redirect_1.conf
    contents: |
      server {
        listen 443;
        server_name www.community.example.com;
        return 301 $scheme://community.example.com$request_uri;
      }
32

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.