How to secure my Discourse page with https and update my TLS to 2.0

I'm running a discourse forum here at https://www.avdisco.com. I was told by a helpful member here that my forum is at risk without proper https...I thought I already have. But I guess I'm not? As I'm more of a user and content creator rather than web security expert here. Need advice on how to secure my forum.

Anyone can reach me how with a simple step by step guide. BTW my Discourse forum is hosted on Digital Ocean.

Thanks in advance.

1 Like

Hi and welcome to the LE community forum!

I got a heads up that you were coming from @JimPas :slight_smile:
Looking into this now: https://www.ssllabs.com/ssltest/analyze.html?d=www.avdisco.com
Looks like the cert doesn't have the "www" in it :frowning:

As for the shorter name, that one looks A+

So, let's see how we can get the right names on the cert...

How did you get the cert you have now?
What was the exact command you ran, if any?

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

I'm not sure as well. I used ocean digital droplet to create the Discourse forum. I point the DO droplet that host my Discourse to Cloudflare DNS to manage it. And that's about all. I didnt set up SSL. Is this anything serious. This is just a hobbyist forum. Shouldn't all this behind the scene web security be taken care of by Digital Ocean? That's what I led to believe.

Looks like I just need to point to https://avdisco.com instead of adding the "www" to overcome this problem? Am I right?

It looks bad if someone types your site with the www, they will get a security warning.
Some browsers may not even let them continue in to it.

Easier said than done.
You can't change every thing ever written about your site on the Internet.
You can't stop someone from typing www. first out of habit.
You can:
Ask DO how that cert was installed and how can you get the www in on the next renewal.

I see. Thanks for the great tip. I'll drop a support ticket to DO to seek clarification on the https issue with the "www" and see if anything can be done to secure my site.

1 Like

Alternatively, can I do a DNS forwarding to https://avdisco.com whenever user typed www.avdisco.com? Does that help?

Only for http://www
If they type, or hit a link that has, https://www it's too late - they will get the security warning message.

Actually, it is not DNS forwarding - can't be fixed in DNS (that only changes names to numbers).
It is redirection in HTML / web service.

Ok thanks. I looking to OD for answer. Clearly they asking me to do a certbot cmd.

OK we can do that :slight_smile:

Please show the output of:
certbot --version
certbot certificates