SSL activation for discourse

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.wombatarchitecture.com

I ran this command: cd/var/discourse ./discourse-setup

It produced this output: FAIL

My web server is (include version): No current server setup, plan to relaunch new server with digital ocean at 2gb memory droplet standard shared processor.

The operating system my web server runs on is (include version): Ubuntu/Debian or could use other o.s. if compatible to power discourse

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don't know): When new server is installed, yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Domain registered through namecheap.com for DNS settings

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A.

Hi,

Am attempting to launch a discourse site with new server and mailgun e-mail service but am experiencing a couple of problems with this. One is that SSL certificate has expired so need to activate new certificate for that, which is why am here at Let's Encrypt to do that.

Secondly SPF record with mailgun is not verifying even after waiting 48 hours for new dns record to propagate.

All other records are verified and active: DKIM, MX, and CNAME are good.

Am having trouble figuring out how to activate new SSL certificate, read that for a permanent one that can be purchased somehow but with letsencrypt there is a way to activate temporary free certificate that should work for a few months.

Can't remember how/if did this before, was able to successfully launch a site that was working earlier this year but closed that.

2

Hello @Architect, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/www.wombatarchitecture.com/1903692

NoRecords
FATAL
No valid A or AAAA records could be ultimately resolved for www.wombatarchitecture.com. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.
No A or AAAA records found.
3 Likes
3

Also running up against the Rate Limits, consider using the Staging Environmen for testing.

image
image936×615 9.16 KB

2 Likes
4

As far as I know, SPF does not have anything to do with a web PKI certificate and thus is not the subject of this Community.

With regard to renewing your expired certificate: Let's Encrypt uses the ACME protocol to issue certificates, which requires an ACME client to get one. Does that discourse-setup script use an ACME client? What does "FAIL" mean exactly? I'm afraid I don't have any psychic abilities, so I'm not able to read more than those 4 letters and thus don't know exactly what was failing.

1 Like
5

That is helpful about the rate limit, didn't know about that. Have been making multiple attempts to launch so good to know can't use "discourse." for url until couple days the 27th.

Will set the A record for new server have launched with Debian 12 x64 in Sydney.

New record host is "community," set I.P. for new server so hope this works!

2 Likes
6

Didn't write down the whole log report will report if there is another failure on next attempt. Was something like "Port 443 and 80 not working" or something.

Not sure what an Acme client is, can access console with ssh through the server site.

7

Here is a definition and list https://acmeclients.com/

Here is a list ACME Client Implementations - Let's Encrypt

2 Likes
8

For the SPF records may post topic about that at the discourse support meta forum, don't know if anyone there will be able to tell what the problem is with that.

Recently when I was able to complete an install of discourse it wouldn't send the activation e-mail which seemed to be because of that, maybe problem had something to do with rate limit for installs or something else?

Good to be here hope everyone is having a great day!!

1 Like
9

There's nothing wrong with your SPF record.

The only problem I see here is that you're confused about your domain name. At the top post you mentioned www.wombatarchitecture.com which clearly does not exist. There is no www record on your domain.

2 Likes
10

Here is what I see for DNS Records

IMG_0021
IMG_00211640×2360 267 KB

1 Like
11

The spf record is not working with mailgun, hostname for that is mail.wombatarchitecture.com, host value is set to "@"

Apr 25, 2024, 3:12 PM by notifications@letsencrypt.discoursemail.com:

12

Thanks for that report, will see if I can add DNSSEC records and using more domains for the nameservers.

It is true there isn't a "WWW" as part of the domain name.

1 Like
13

This has nothing to do with TLS. Please check mailgun's own documentation, you probably just have to add a single include in your SPF record.

3 Likes
14

What is TLS?

1 Like
15

SSL is the old name and standards;
TLS is the new name and standards that are more secure.
Currently recommended are TLSv1.3 and TLSv1.2

See Transport Layer Security - Wikipedia

3 Likes
16

I see global DNS unable to resolve this name:

Given: SPF has nothing to do with TLS [SSL]
Just thought I'd point that out.

3 Likes
17

Not really sure how this is a Solution.

image
image795×269 9 KB

3 Likes
18

That could be the problem that global DNS cannot resolve that name?

For TLS/SSL with letsencrypt I need to generate a certificate for that, had trouble figuring out the steps for that, how is that done?

19

That's what the ACME client software will do. It seems like there is already some ACME client application probably included with the Discourse package, but none of us know offhand which that would be.

In most cases you need to have all names under which your site will be accessed (and so all names that will be listed on your Let's Encrypt certificate) already working in DNS and pointing at your server before you start the process of requesting the certificate.

If you do get an error message, we'd like to see the exact text of the error message, because it should help make clear which ACME client it is, and also what the underlying problem is.

2 Likes
20

For new install it seems that ACME certificate generator has worked as part of that automatically, previously the problem was the limit of 5 certificates had been met which was why new install was not working.

When I contacted digital ocean support they wrote to me this:

The website http://discourse.wombatarchitecture.com/ shows the ERR_CONNECTION_REFUSED error. On checking, I see that there is no SSL certificate installed and hence the website does not connect on the HTTPS port 443.
SSL Checker

You will have to install an SSL certificate for the site to run on the secure https port. Installing an SSL on your Droplet provides an increased level of security for your users - and there are two options we recommend for getting that done.

Your first option is to install an SSL from an SSL provider and you'll want to check out our guide below to install the same:

That guide takes you through the steps of choosing the right type of SSL for your needs, generating the CSR, and how to purchase the SSL from some common SSL providers. This is a great choice for purchasing a yearly SSL that only need renewal once a year. The downside is they typically cost money to purchase.

The second option would be to use a free SSL provider like Letsencrypt.

Letsencrypt offers free SSL certificates and is easy to set up. This option is great to cover multiple websites on the same Droplet. The downside is that the SSL expire every 3 months, but the renewal process is simple and can be automated through cronjobs.

Depending on the webserver you are running, the following guides will help you get your SSLs installed using Letsencrypt as well as set up automatic renewal.

Nginx:

Apache:

For new install with url starting with "community" instead of "discourse" have checked with this tool they referenced which shows certificate is valid but set to expire in 89 days:

SSL Checker (sslshopper.com)

certificate
certificate1167×1102 137 KB

Can't activate the site yet because of problem with mail sending still hope to figure that out understand that is not related to the TLS certificate, I was just guessing about that thought it could be but found out answer is no, it is not.

Thanks everyone for your replies!

1 Like