{"id":7161,"date":"2020-11-10T12:37:06","date_gmt":"2020-11-10T17:37:06","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=7161"},"modified":"2020-11-10T15:31:57","modified_gmt":"2020-11-10T20:31:57","slug":"discourse-acme-sh-script-failure","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=7161","title":{"rendered":"Discourse acme.sh Script Failure"},"content":{"rendered":"

I had a hellacious time updating the certificate on my Dockerized Discourse server — the acme.sh script doesn’t have a slash delimiter between the hostname and the .\/well-known folder within the URI. Which means the request fails. Repeatedly.<\/p>\n

 <\/p>\n

[Sat Oct 10 00:01:09 UTC 2020] _post_url='https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/7784162898\/nr42-g'\r\n[Sat Oct 10 00:01:09 UTC 2020] _CURL='curl -L --silent --dump-header \/shared\/letsencrypt\/http.header -g '\r\n[Sat Oct 10 00:01:10 UTC 2020] _ret='0'\r\n[Sat Oct 10 00:01:10 UTC 2020] code='200'\r\n[Sat Oct 10 00:01:10 UTC 2020] trigger validation code: 200\r\n[Sat Oct 10 00:01:10 UTC 2020] sleep 2 secs to verify\r\n[Sat Oct 10 00:01:12 UTC 2020] checking\r\n[Sat Oct 10 00:01:12 UTC 2020] url='https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/7784162898\/nr42-g'\r\n[Sat Oct 10 00:01:12 UTC 2020] payload\r\n[Sat Oct 10 00:01:12 UTC 2020] POST\r\n[Sat Oct 10 00:01:12 UTC 2020] _post_url='https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/7784162898\/nr42-g'\r\n[Sat Oct 10 00:01:12 UTC 2020] _CURL='curl -L --silent --dump-header \/shared\/letsencrypt\/http.header -g '\r\n[Sat Oct 10 00:01:13 UTC 2020] _ret='0'\r\n[Sat Oct 10 00:01:13 UTC 2020] code='200'\r\n[Sat Oct 10 00:01:13 UTC 2020] discourse.example.com:Verify error:Fetching https:\/\/discourse.example.com.well-known\/acme-challenge\/XY02T_40TL92IADByQ45JMj4JzC2qJCatVd2odJMAlU: Invalid host in redirect target\r\n[Sat Oct 10 00:01:13 UTC 2020] pid\r\n[Sat Oct 10 00:01:13 UTC 2020] No need to restore nginx, skip.<\/pre>\n
 <\/p>\n
Turns out that’s my bad config — I’ve got a reverse proxy in front of Discourse, and we don’t use<\/em> the clear text http site. The reverse proxy just bounces you over to the https site. Two problems — one, I failed to put the trailing slash after my redirect, s http:\/\/discourse.example.com\/.well-known\/blah is being redirected to https:\/\/discourse.example.com.well-known\/blah<\/p>\n
<VirtualHost 10.1.2.3:80>\r\nServerName discourse.example.com\r\nServerAlias discourse\r\n\r\nRedirect 301 \/ https:\/\/discourse.example.com\r\n\r\n<\/VirtualHost><\/pre>\n
 <\/p>\n
That’s easy enough to fix — add the trailing slash I should have had anyway. But the subsequent problem is that the bootstrap nginx config that is used to serve up the validation page only listens on port 80. So I cannot<\/em> redirect the clear-text traffic over to the SSL site. I have to reverse proxy the clear text site as well (at least whenever the certificate needs to be renewed).<\/p>\n
ProxyPass \/ https:\/\/discourse.example.com\/\r\nProxyPassReverse \/ https:\/\/discourse.example.com\/<\/pre>\n
Voila, a web server with an updated certificate.<\/p>\n","protected":false},"excerpt":{"rendered":"
I had a hellacious time updating the certificate on my Dockerized Discourse server — the acme.sh script doesn’t have a slash delimiter between the hostname and the .\/well-known folder within the URI. Which means the request fails. Repeatedly.   [Sat Oct 10 00:01:09 UTC 2020] _post_url=’https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/7784162898\/nr42-g’ [Sat Oct 10 00:01:09 UTC 2020] _CURL=’curl -L –silent …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[1176,1081,231,1175],"class_list":["post-7161","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-certbot","tag-discourse","tag-docker","tag-letsencrypt"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/7161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7161"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/7161\/revisions"}],"predecessor-version":[{"id":7164,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/7161\/revisions\/7164"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}