I recently deployed 2 websites (a discourse instance and regular html and css) on a digitalocean droplet.
Using letsencrypt, I generated security certificates for both. However, the one for the the discourse instance keeps conflicting with that of the regular website.
I ran a check on ssllabs and the SNI
check keeps returning the discourse instance as the owner of the certificate for the regular.
Please help. Thanks.
This issue arises because the web server configuration for your two websites (Discourse and the regular HTML/CSS site) does not properly handle Server Name Indication (SNI), which is essential for serving multiple SSL certificates on the same IP address.
Here’s how to fix it:
1. Verify Your Web Server Setup
Discourse typically uses Nginx as its reverse proxy. Your regular HTML/CSS website may also be using Nginx or Apache. Let’s configure Nginx properly to serve both sites with their respective certificates.
2. Configure Nginx for Multiple Domains
Step 1: Open the Nginx Configuration
Check where your Nginx configurations are stored. Common locations include:
/etc/nginx/sites-available/
/etc/nginx/sites-enabled/
You should have two separate configuration files:
- One for your Discourse instance.
- One for your regular website.
If you don’t have them, create separate configuration files for each site.
Step 2: Configure Each Domain
Here’s an example configuration for each domain:
- Discourse Instance (
discourse.example.com
):
server {
listen 443 ssl http2;
server_name discourse.example.com;
ssl_certificate /etc/letsencrypt/live/discourse.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/discourse.example.com/privkey.pem;
location / {
proxy_pass http://localhost:8080; # Adjust to your Discourse backend port
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name discourse.example.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
- Regular HTML Website (
www.example.com
):
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
root /var/www/html; # Path to your HTML files
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name www.example.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
Step 3: Test and Reload Nginx
- Test the Nginx configuration for errors:
sudo nginx -t
- Reload Nginx:
sudo systemctl reload nginx
3. Update Your DNS Records
Ensure the DNS records for both discourse.example.com
and www.example.com
point to the same droplet IP address.
4. Reissue Certificates with Certbot if Necessary
If your certificates were initially generated incorrectly (e.g., covering the wrong domains), you may need to reissue them.
- Remove Old Certificates (if necessary):
sudo certbot delete
- Generate Certificates for Each Domain Separately: For Discourse:
sudo certbot certonly --nginx -d discourse.example.com
For the regular website:
sudo certbot certonly --nginx -d www.example.com
- Verify Certificates: Check the certificates in
/etc/letsencrypt/live/
to ensure both domains have their own certificates.
5. Retest with SSL Labs
Visit SSL Labs and test both domains to verify that each domain correctly serves its own certificate.
6. Optional: Enable HSTS
To further enhance security, enable HTTP Strict Transport Security (HSTS) in each domain’s Nginx configuration:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
By properly separating your Nginx configurations and associating the correct SSL certificates with each domain, the conflicts should be resolved. Let me know if you encounter any issues!