FEATURE: add DISCOURSE_HOSTNAME_ALIASES

add comma-separated DISCOURSE_HOSTNAME_ALIASES to handle multiple aliases
for letsencrypt domain generation over env vars

FIX: add letsencrypt renew location for .well-known
and allow for multi-domain renewal

Add /.well-known location in /var/www/discourse/public.
Allow .well-known on http to continue to serve traffic without redirects
Allows for letsencrypt cert renewals to work properly.

With DISCOURSE_HOSTNAME of example.com...

multiple domains are not able to renew if they cannot access such as
http://alternate.example.com

...which redirects under the current https config.

FIX: better listening for ipv6 for ipv4 only
Current letsencrypt assumes ipv6 in config. Check for ipv6 before listening

Author: featheredtoast

templates/web.letsencrypt.ssl.template.yml

@@ -19,6 +19,20 @@ run:
         LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
         LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --set-default-ca  --server  letsencrypt
 
+        cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
+        server {
+          listen 80;
+
+          location ~ /.well-known {
+            root /var/www/discourse/public;
+            allow all;
+          }
+          location / {
+            return 301 https://${DISCOURSE_HOSTNAME}$request_uri;
+          }
+        }
+        EOF
+
         cat << EOF > /etc/nginx/letsencrypt.conf
         user www-data;
         worker_processes auto;
@@ -41,7 +55,6 @@ run:
 
           server {
             listen 80;
-            listen [::]:80;
 
             location ~ /.well-known {
               root /var/www/discourse/public;
@@ -51,6 +64,12 @@ run:
         }
         EOF
 
+        if [ -f "/proc/net/if_inet6" ] ; then
+          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
+          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/letsencrypt.conf
+        fi
+
+
         sed -Ei "s/^#?ACCOUNT_EMAIL=.+/ACCOUNT_EMAIL=${LETSENCRYPT_ACCOUNT_EMAIL}/" \
           /shared/letsencrypt/account.conf
 
@@ -71,8 +90,15 @@ run:
         LETSENCRYPT_DIR="/shared/letsencrypt"
         /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
 
+        extra_domains() {
+        if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then
+          domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g")
+          echo "-d $domains"
+        fi
+        }
+
         issue_cert() {
-          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} --keylength $1 -w /var/www/discourse/public
+          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} $(extra_domains) --keylength $1 -w /var/www/discourse/public
         }
 
         cert_exists() {