Eroscripts has no SSL?

roa · September 30, 2024, 6:12am

Chrome says Eroscripts has no SSL and site may be unsecure? Think there was already a topic but can not find it.

Liquid · September 30, 2024, 6:16am

roa · September 30, 2024, 6:34am

K I just get a message each time I connect. Says no HTTPS support.

Liquid · September 30, 2024, 9:42am

Are you using a proxy or some old software that doesn’t support TLS 1.3 maybe?

SSL/TLS Client Test - TLS Fingerprinting - BrowserLeaks

roa · September 30, 2024, 10:38am

nah looks good

Mongoose · September 30, 2024, 9:00pm

There’s an issue/bug with the site’s certificates and/or redirects – they’re not quite configured correctly, which is why you’re seeing an error. I’ve been getting it too but have been too lazy to report it, sorry!

The issue occurs if you type “eroscripts.com” into your browser’s address bar. This will (probably) try to take you to https://eroscripts.com, but the certificate served with the root site isn’t correct (it’s for “discuss.eroscripts.com” not “eroscripts.com”) so you get a certificate mismatch error. This happens before nginx redirects you to discuss.eroscripts.com so you get hit with the error first.

You can see it too if you try to test the server with SSLLabs:
https://www.ssllabs.com/ssltest/analyze.html?d=eroscripts.com&hideResults=on

Result: you get a “Certificate name mismatch” error.

To keep everything as-it-is now, but fix the above issue, here’s how the redirects should work to cover all bases:

#non-secure root domain to secure discuss
http://eroscripts.com → https://discuss.eroscripts.com

#non-secure discuss to secure discuss
http://discuss.eroscripts.com → https://discuss.eroscripts.com

#secure root domain to secure discuss
https://eroscripts.com → https://discuss.eroscripts.com

And here are the certificates required:
eroscripts.com (root)
discuss.eroscripts.com

Or a wildcard certificate:
*.eroscripts.com (which will include the root)

Unfortunately the site only seems to have the current certificate (without root):
discuss.eroscripts.com

I don’t know how this site’s set up – I’m guessing it’s a Docker instance of Discourse? – and that might well use Certbot to configure the LetsEncrypt SSL certificates.

So this is fixable in a few ways. It probably just needs a little tinkering with the nginx config’s redirects and maybe Docker to make sure Certbot generates the certs correctly. For example:

#NGINX example redirects

#non-secure root domain to secure discuss
server {
    listen 80;
    server_name eroscripts.com;

    access_log off; #don't bother logging the redirects

    # For certbot
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        satisfy any;
        allow all;
    }

    return 301 https://discuss.eroscripts.com$request_uri;
}


#non-secure discuss to secure discuss
server {
    listen 80;
    server_name discuss.eroscripts.com;

    access_log off; #don't bother logging the redirects

    # For certbot
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        satisfy any;
        allow all;
    }

    return 301 https://discuss.eroscripts.com$request_uri;
}

#secure root domain to secure discuss
server {
    listen 443 ssl;
    server_name eroscripts.com;

    ssl_certificate /etc/letsencrypt/live/eroscripts.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/eroscripts.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # For certbot
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        satisfy any;
        allow all;
    }
    return 301 https://discuss.eroscripts.com$request_uri;
}


# actual Discourse server stuff below
server {
    listen 443 ssl;
    server_name discuss.eroscripts.com;
....

And then you’d want to tell Certbot, through Docker, to generate your certs (fixing the paths first):

docker run -it --rm \
    -v /path/to/certificates:/etc/letsencrypt \
    -v /path/to/webroot:/var/www/certbot \
    certbot/certbot certonly \
    --webroot -w /var/www/certbot \
    -d eroscripts.com \
    -d discuss.eroscripts.com

I’m not 100% sure how Docker and Certbot play together though, so that may not be entirely right.

BUT! And this is a big but: if you’re going to all that effort, instead of doing all that, why not instead simplify everything and migrate the current “discuss. subdomain site” to plain ol’ eroscripts.com? Then add redirects for discuss.eroscripts.com → eroscripts.com so nothing gets broken and the transition is seamless?

I’ve never really got why the site runs on a subdomain when the root domain isn’t actually used for anything else. I guess the site was initially set up using a tutorial and the tutorial probably said “well obviously you already have a website, so to add a Discourse forum to your site you’ll want it on a subdomain, let’s use discuss.example.com” but that isn’t the case here.

So given that this whole entire excellent site is eroscripts.com the “discuss.” part of it isn’t needed and it’d be simpler to just use eroscripts.com. If that makes sense? OK I’ll shut up now.