Can we change this site to use HTTPS?


#1

Hi,
I think it might be possible to get a free SSL certificate using Let’s Encrypt .
Cheers,
John


#2

Free? But do browsers support it? Or is just for using the API?


#3

Yes, I think so.


#4

Sounds very labor intensive to have to apply for a new certificate every three months unless it can automated. Do you wish to apply for us?


#5

I believe that it can be automated, I’ll look into it and let you know. -John


#6

Looks like you can use the certbot renew command and add it to cron.
https://certbot.eff.org/docs/using.html#renewing-certificates
Sounds quite easy.
Cheers, John


#7

Let’s go for it then! :grinning:


#8

I use Let’s Encrypt and it’s very straightforward… download, run, enter details & it configures webserver (with cert). Then every 3 months just do ./certbot-auto renew and Bobs your Uncle :slight_smile:

Any questions just shout. I use it with Apache (on Ubuntu) as front-end proxy to Cheyenne for about a year with no issues.


#9

Sounds great. Who is actually going to do this? @draegtun @johnk?


#10

Reading this you need ssh access https://certbot.eff.org/#ubuntuxenial-nginx but also need to install at /var/www but I don’t think have that directory under nginx


#11

Ok, seems to be a walk through here


#12

Happy to help if I can? However I’ve no experience of Google cloud or Discourse so I may tripping over myself a bit :frowning:


#13

The problem we reached was that I wasn’t able to add @asampal as a user to the VM even though I added his public certificate so we need to see what that is about.


#14

It could be just that I got locked out just before you added me with the appropriate username.


#15

I guess try again when I’m back at home and can look more easily at the vm error logs.


#16

Ok, I used the walk through after using the certbot failed since it didn’t know where to put the certificates, and when i chose a place, nothing was put there :frowning: Not sure how I can recover the 158Mb that I used for the certbot install :rage:

This section

4. Rebuild your container

./launcher rebuild <container name>

should just be

./launcher rebuild app

Also note this, it does the daily renewal check for us.

Installs the cert into the right directory that nginx expects. At the same time, it adds a cron job that runs a daily cert renewal check. This will automatically renew your cert. Nothing happens if cert has not expired. If the certificate does expire, you’ll get an email about it from Let’s Encrypt at the email address you provided during setup.
Switches the script to use the webroot plugin with /var/www/discourse/public as the directory. This will allow us to use nginx as the server that handles domain validation. Zero downtime during cert renewal!

Now to see what problems eventuate.


#17

Looks like Rebol clients (2, 3, renc) can’t connect to the https version used here.

So, rebolbot is a bit stuck.


#18

So, apart from the rebolbot ssl handshaking error, is anyone else in addition to @draegtun now no longer able to login?

I’m wondering now if I should attempt to revert the https?

If you can’t login to reply, then use [SO chat] (http://chat.stackoverflow.com/rooms/291/rebol)


#19

Let’s see if they can help, or, if I can just turn off the http -> https redirect.


#20

https works fine for me :slight_smile:

Regarding the disk space for certbot, I assume you can just uninstall it. Assuming this is some kind of debian based distro then it is simply sudo apt-get remove certbot
There are addiditonal options to remove other dependencies of configuration files as well: