SSL for Discourse with Let's Encrypt
This all assumes you already have a running installation of Discourse on a Linux host.
There is already a great guide on setting up Discourse with SSL but I wanted to share the setup process I used specifically for Let's Encrypt which deviates slightly.
Head over to the Let's Encrypt docs for the official Let's Encrypt documentation.
Stop your Discourse container if it is already running.
Let's Encrypt will need port 80 available to perform the domain verification. From /var/discourse:./launcher stop [container name]
Download the Let's Encrypt client
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Generate Certificates
Run letsencrypt-auto in standalone mode. This is the best method to use (currently) since the nginx plugin isn't available yet and we will be using the certificate within a container once we get them.
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone
Follow the prompts from letsencrypt. As it tells you when it completes, your certificates will be stored in /etc/letsencrypt/live/your-domain-name
.
If you go there you will see four files:
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
Create SSL Directory in Discourse
Create/var/discourse/shared/standalone/ssl
if it does not already exist.
Update Discourse Config
Open/var/discourse/container/app.yml
Add SSL Template
Add"templates/web.ssl.template.yml"
to your list of templates.
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/sshd.template.yml"
- "templates/web.template.yml"
- "templates/web.ssl.template.yml"
Add listener for SSL
Add"443:443"
to allow your container to listen on port 443.
expose:
- "80:80"
- "2222:22"
- "443:443"
Add Mount to Let's Encrypt
Rather than copy your certificates into Discourse we will set up a mount point for the container. Still in app.yml, go down to the volumes section. If you haven't made any other modifications you will see the following:volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
Add an entry for Let's Encrypt:
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
- volume:
host: /etc/letsencrypt/
guest: /etc/letsencrypt/
Update SSL Template
By default/var/discourse/templates/template.web.ssl.yml
points to /var/discourse/shared/standalone/ssl
for certificate information.
Update the template to point to your certificate and key located in the letsencrypt directory.
Default:
ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Rebuild Your Container
From/var/discourse
run ./launcher rebuild [your container name].
A full rebuild is necessary to incorporate all the changes.
Once the container is rebuilt and running navigate to your domain and enjoy your new encrypted connection!
- Next: hubot-remote-ark