Tim Gaudette (iamtjg)

SSL for Discourse with Let's Encrypt

This all assumes you already have a running installation of Discourse on a Linux host.

There is already a great guide on setting up Discourse with SSL but I wanted to share the setup process I used specifically for Let's Encrypt which deviates slightly.

Head over to the Let's Encrypt docs for the official Let's Encrypt documentation.

Stop your Discourse container if it is already running.

Let's Encrypt will need port 80 available to perform the domain verification. From /var/discourse:
./launcher stop [container name]

Download the Let's Encrypt client

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Generate Certificates

Run letsencrypt-auto in standalone mode. This is the best method to use (currently) since the nginx plugin isn't available yet and we will be using the certificate within a container once we get them.

./letsencrypt-auto certonly --standalone

Follow the prompts from letsencrypt. As it tells you when it completes, your certificates will be stored in /etc/letsencrypt/live/your-domain-name.
If you go there you will see four files:

Later on we will be utilizing fullchain.pem and privkey.pem. It is important to use fullchain.pem as nginx does not have a way of handling separate intermediary cert files.

Create SSL Directory in Discourse

Create /var/discourse/shared/standalone/ssl if it does not already exist.

Update Discourse Config

Open /var/discourse/container/app.yml

Add SSL Template

Add "templates/web.ssl.template.yml" to your list of templates.
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/sshd.template.yml"
- "templates/web.template.yml"
- "templates/web.ssl.template.yml"

Add listener for SSL

Add "443:443" to allow your container to listen on port 443.
expose:
- "80:80"
- "2222:22"
- "443:443"

Add Mount to Let's Encrypt

Rather than copy your certificates into Discourse we will set up a mount point for the container. Still in app.yml, go down to the volumes section. If you haven't made any other modifications you will see the following:
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

Add an entry for Let's Encrypt:

volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log
  - volume:
      host: /etc/letsencrypt/
      guest: /etc/letsencrypt/

Update SSL Template

By default /var/discourse/templates/template.web.ssl.yml points to /var/discourse/shared/standalone/ssl for certificate information.

Update the template to point to your certificate and key located in the letsencrypt directory.

Default:

ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Rebuild Your Container

From /var/discourse run ./launcher rebuild [your container name]. A full rebuild is necessary to incorporate all the changes.

Once the container is rebuilt and running navigate to your domain and enjoy your new encrypted connection!