FIX: Letsencrypt allow for multi-domain renewal

featheredtoast · featheredtoast · commit 7e580b235fca · 2025-08-02T20:30:07.000-07:00
With DISCOURSE_HOSTNAME of example.com... multiple domains are not able to renew if they cannot access such as http://alternate.example.com which redirects under the current https config. Allow .well-known on http to continue to serve traffic sans https for letsencrypt renewals FIX: better listening for ipv6 for ipv4 only
diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml
@@ -26,6 +26,20 @@ run:
         LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
         LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --set-default-ca  --server  letsencrypt
 
+        cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
+        server {
+          listen 80;
+
+          location ~ /.well-known {
+            root /var/www/discourse/public;
+            allow all;
+          }
+          location / {
+            return 301 https://${DISCOURSE_HOSTNAME}$request_uri;
+          }
+        }
+        EOF
+
         cat << EOF > /etc/nginx/letsencrypt.conf
         user www-data;
         worker_processes auto;
@@ -48,7 +62,6 @@ run:
 
           server {
             listen 80;
-            listen [::]:80;
 
             location ~ /.well-known {
               root /var/www/discourse/public;
@@ -58,6 +71,12 @@ run:
         }
         EOF
 
+        if [ -f "/proc/net/if_inet6" ] ; then
+          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
+          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/letsencrypt.conf
+        fi
+
+
         sed -Ei "s/^#?ACCOUNT_EMAIL=.+/ACCOUNT_EMAIL=${LETSENCRYPT_ACCOUNT_EMAIL}/" \
           /shared/letsencrypt/account.conf
 
