letsencrypt updates: renew location for .well-known, add support for multiple hostnames (#992)

featheredtoast · web-flow · commit ae4887a4f716 · 2025-08-19T14:19:50.000-07:00
* FEATURE: add DISCOURSE_HOSTNAME_ALIASES add comma-separated DISCOURSE_HOSTNAME_ALIASES to handle multiple aliases for letsencrypt domain generation over env vars FIX: add letsencrypt renew location for .well-known and allow for multi-domain renewal Add /.well-known location in /var/www/discourse/public. Allow .well-known on http to continue to serve traffic without redirects Allows for letsencrypt cert renewals to work properly. With DISCOURSE_HOSTNAME of example.com... multiple domains are not able to renew if they cannot access such as http://alternate.example.com ...which redirects under the current https config. FIX: better listening for ipv6 for ipv4 only Current letsencrypt assumes ipv6 in config. Check for ipv6 before listening * remove commented multi_accept line * Bundle well-known location http passthrough into base ssl template. * Always configure to listen on ipv4 and v6
diff --git a/templates/web.letsencrypt.ssl.template.yml b/templates/web.letsencrypt.ssl.template.yml
@@ -26,7 +26,6 @@ run:
 
         events {
           worker_connections 768;
-          # multi_accept on;
         }
 
         http {
@@ -71,8 +70,15 @@ run:
         LETSENCRYPT_DIR="/shared/letsencrypt"
         /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
 
+        extra_domains() {
+          if [ -n "$DISCOURSE_HOSTNAME_ALIASES" ]; then
+            domains=$(echo $DISCOURSE_HOSTNAME_ALIASES | sed "s/,/ -d /g")
+            echo "-d $domains"
+          fi
+        }
+
         issue_cert() {
-          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} --keylength $1 -w /var/www/discourse/public
+          LE_WORKING_DIR="${LETSENCRYPT_DIR}" ${LETSENCRYPT_DIR}/acme.sh --issue $2 -d ${DISCOURSE_HOSTNAME} $(extra_domains) --keylength $1 -w /var/www/discourse/public
         }
 
         cert_exists() {
diff --git a/templates/web.ssl.template.yml b/templates/web.ssl.template.yml
@@ -27,6 +27,13 @@ run:
         cat << EOF > /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
         server {
           listen 80;
+          listen [::]:80;
+
+          location ~ /.well-known {
+            root /var/www/discourse/public;
+            allow all;
+          }
+
           return 301 https://${DISCOURSE_HOSTNAME}$request_uri;
         }
         EOF
@@ -35,6 +42,7 @@ run:
 
         cat << EOF > /etc/nginx/conf.d/outlets/server/20-https.conf
         listen 443 ssl;
+        listen [::]:443 ssl;
         http2 on;
 
         ssl_protocols TLSv1.2 TLSv1.3;
@@ -58,8 +66,3 @@ run:
         cat << EOF > /etc/nginx/conf.d/outlets/discourse/20-https.conf
         add_header Strict-Transport-Security 'max-age=31536000';
         EOF
-
-        if [ -f "/proc/net/if_inet6" ] ; then
-          sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
-          sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf
-        fi
