letsencrypt updates: renew location for .well-known, add support for multiple hostnames

[featheredtoast]

add comma-separated DISCOURSE_HOSTNAME_ALIASES to handle multiple aliases
for letsencrypt domain generation over env vars

FIX: add letsencrypt renew location for .well-known and allow for multi-domain renewal
Do not redirect to https on .well-known location for any domain
so letsencrypt cert renewals can work properly.

FIX: better listening for ipv6 for ipv4 only
Current letsencrypt assumes ipv6 in config. Check for ipv6 before listening

[pfaffman]

Will this let all requests get through and not just those for the discourse hostname? I think so, but I'm not quite sure

I'm trying to get certs for additional domains. The old way no longer works.

[featheredtoast]

I'm working on that now but it is unrelated - this doesn't change anything about how the initial cert retrieval is done, but it does fix the renewal, in the case where a Discourse site installed with letsencrypt and is left alone for 3 months (the current validity of certs), it can autorenew.

[featheredtoast]

PR has been updated to also include support for multi-domain certs.

[pfaffman]

DUDE! That is so awesome! I can't wait to check it out.

[discoursebot]

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/set-up-let-s-encrypt-with-multiple-domains-redirects/56685/171

[discoursebot]

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/daily-summary-9pm-utc/291850/583

[andrewschleifer]

Can we get rid of the commented out multi_accept line? @tgxworld git blame tracks this to d41b7e6.

[andrewschleifer]

In, for example, samples/web_only.yml, we tell operators to uncomment both web.ssl.template.yml and web.letsencrypt.ssl.template.yml.

However, the configure-letsencrypt and configure-ssl scripts are writing to the same outlet. So future changes to the latter are going to be mysteriously overwritten by the former.

[featheredtoast]

fair point - perhaps something simple we could do is bundle the /.well-known passthrough location into the base ssl template? It's not a path used by Discourse anywhere, and maybe it's... well known... enough that it's OK to have in the base ssl template.

[andrewschleifer]

Does this file exist if IPv6 is enabled but no interfaces have v6 addresses?

We want to listen on :: even if there are current addresses, in case one appears in the future.

[featheredtoast]

I'll admit this was a somewhat blind attempt at mimicking what the web_ssl does here:

discourse_docker/templates/web.ssl.template.yml

Lines 62 to 65 in e957176

	if [ -f "/proc/net/if_inet6" ] ; then
	sed -i 's/listen 80;/listen 80;\nlisten [::]:80;/g' /etc/nginx/conf.d/outlets/before-server/20-redirect-http-to-https.conf
	sed -i 's/listen 443 ssl;/listen 443 ssl;\nlisten [::]:443 ssl;/g' /etc/nginx/conf.d/outlets/server/20-https.conf
	fi

But if this isn't necessary, perhaps we can remove the references in both places and simplify everywhere

[andrewschleifer]

I don't actually know what the behavior is when IPv6 is enabled but not configured anywhere. Maybe that if test is OK?

If listen [::]:80 does not error when IPv6 is not available that sure looks like the cleanest option. I'll try and figure out a test.

[andrewschleifer]

Survey says "yes". The default install on Debian has listen [::]:80 default_server; Running echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 turned off IPv6. The service still starts fine afterwards.

[featheredtoast]

@andrewschleifer updated with feedback, let me know if that looks better.