Nethserver-discourse, Let's Encrypt, and SSL

Hi all,

On LOCAL VMs, I have 2 installations of Discourse: one with nethserver-discourse and one with standard Discourse.

For the nethserver-discourse, I followed exactly: https://wiki.nethserver.org/doku.php?id=discourse (2 times for 2 installations)

The VM with nethserver-discourse displays:
image image

The VM with standard Discourse does not display such warning.


I compare the 2 configurations and found that nethserver-discourse is missing 2 folders:
image image

For a test, I wanted to try to copy the missing folders from the standard Discourse to the nethserver-discourse.

In nethserver-discourse, I just created a folder letsencrypt and went into it.
To my surprise, even if I didn’t copy nothing yet, the folder was filled up with the same sub-folders as the standard Discourse.

In nethserver-discourse, I created a folder ssl and went into it.
Same thing, it filled up by itself.

I rebooted the nethserve-discourse and no more warning, all is OK.

QUESTION

What am I missing ?

Michel-André

1 Like

need to check, dicourse comes from the docker container that is not in my hand

Salut @stephdl

With the creation of those folders, the keys have changed, I cannot login anymore into discourse.

Michel-André

Deux problèmes, deux fils de question sur le forum michel (two issues two forum threads michel)

:smiley:

Salut @stephdl

I created a new post: Nethserver Docker and option --restart unless-stopped

Michel-André

2 Likes

Je vais regarder cette histoire de discourse, Je vais voir si j’ai le temps, je pars bientôt en vacances :smiley:

I am going to check your issue but I am not sure I have the time because I will be in holidays soon

Hi @stephdl,

It is related to the name of the certificate keys:
cert.pem / privkey.pem
vs
cert.crt / cert.key

# ln -s cert.crt cert.pem
# ln -s cert.key privkey.pem

Then activate https in Discourse -> Security

No more security warnings.

Bonnes vacances ! :slight_smile:

Michel-André

EDIT:

# ls -ls /etc/pki/tls/certs/cert.pem
0 lrwxrwxrwx 1 root root 8  8 juil. 15:29 /etc/pki/tls/certs/cert.pem -> cert.crt

# ls -ls /etc/pki/tls/private/privkey.pem
0 lrwxrwxrwx 1 root root 8  8 juil. 15:31 /etc/pki/tls/private/privkey.pem -> cert.key

/etc/nginx/conf.d/discourse.conf

...
server {
    listen 443 ssl http2;  listen [::]:443 ssl http2;
    server_name  forum.toto.org;  # <-- changer ici

#   ssl on;  # <-- OBSOLETE
    ssl_certificate      /etc/pki/tls/certs/cert.pem;  # <-- changer ici
    ssl_certificate_key  /etc/pki/tls/private/privkey.pem;  # <-- changer ici
...

Most important:

# reboot
1 Like

Slaut @stephdl,

Sorry to ruin your vacation, but my solution works only with standard Discourse.

With nethserver-discourse, after activating https, I can no longer log in. It says the cookies are not enabled.

Michel-André

Salut @stephdl,

Just to keep you informed.

I am still working on the warning in the URL when accessing Discourse with Firefox or TOR.
There is no warning with Chrome.

If you login with 2 different browsers:

  • With the first browser, enable “force https”. Refresh the page. The warning disappears but you’re no more able to login.
  • On the second browser, disable “force https”. Go back to the first browser, you are able to login again.

It looks like it is related to the SSL configuration in zzz_discourse.conf for Apache.
I tried both .crt and .pem; same problem.

If you use nginx, there is no such warning in Firefox.

I will try to find out more info on SSL config for Apache and let you know.

Continue having a nice holiday in the canyon :slight_smile:

Michel-André

Hi all and especially @stephdl on holiday in the canyon,

After 3 weeks of struggle: installation, reinstallation, standard Discourse, nethserver-discourse, Apache disable / Nginx, Nginx only, HAProxxy, Apache only, I finally found the cause of the warning in the URL bar and the unable to reconnect after “force https”.

With standard Discourse:

The warning in the URL bar is due to the installation of the Logo

  1. It is absolutely necessary not to install the logo when connecting to Discourse for the first time.

  2. You must install the logo only after the configuration is complete with Settings → Branding.

  3. To correct the situation:

  • Remove logo in Settings → Branding.
  • Reinstall the logo in Settings → Branding.

Not able to login is due to Apache

In the file: /etc/httpd/conf.d/zzz_discourse.conf, just before the line ProxyPass, add this line:

 RequestHeader set X-Forwarded-Proto "https"

Restart Apache

# systemctl restart httpd

‡ It should be the same with nethserver-discourse and NGINX /etc/nginx/conf.d/zzz_discourse.conf

force https

  • Settings → Security → activate “force https”.
  • Finally reboot to make absolutely sure everything is working perfectly.

image Complete victory, let us raise the banner of victory.

An how-to will follow soon,

Michel-André

Hi all and especially @stephdl on holiday, if he is out of the canyon, :wink:

For Nethserver-Discourse

After a backup snapshot, restart the VM

Wait at least 2-3 minutes to let time for clamd to finish.
Wait at least another 2-3 minutes to let ruby start Discourse (there are 4 ruby running for discourse).
image

FILE: /etc/httpd/conf.d/zzz_discourse.conf

...
ProxyPreserveHost On
ProxyRequests Off

# Add those 2 lines to be always able to login
RequestHeader set X-Forwarded-Proto "https"
AllowEncodedSlashes NoDecode

ProxyPass / unix:/var/discourse/shared/standalone/nginx.http.sock|http://localhost/
ProxyPassReverse  / unix:/var/discourse/shared/standalone/nginx.http.sock|http://localhost/
...

Restart Apache:

# systemctl restart httpd
# systemctl status httpd  |  grep Active

Clear caches

  • Station:

    ipconfig /flushdns

  • Browser:
    History → Clear Recent History…

DO NOT RELOAD THE BROWSER PAGE, USE THE FULL LINK: https://forum.toto.org/.

  • Login

  • Configuration → Parameters → Security → Activate “force https”
    Refresh page - warning is still there => normal because of the “Branding icons”.

  • Configuration → Parameters → Branding
    Delete “logo” -> click the green check mark to activate the suppression
    Delete “small logo” -> click the green check mark to activate the suppression
    Repeat if more logos.
    Make sure there are no more logos.
    …
    Download a new “logo” -> click the green check mark to activate the new logo
    Download a new “small logo” -> click the green check mark to activate the new “small logo”
    Repeat if more logos.

  • Logout
    The page refreshes to display the home page, there is no more warning in the URL bar.

Reboot, clear caches, and login to be absolutely sure that all is running perfectly.

Michel-André

P.S.
Use 2 different browsers to login; if you have problems after activating “force https”, you can use the other browser still logged in to deactivate it.