When I type “pidforum.org” into my browser (Firefox 94.0.1) it tries to load “https://www.pidforum.org” first, which seems to be a common UX thing for browsers to do by default. In this case it produces a SSL error because the server responds on “www.pidforum.org” but presents a certificate that’s only valid for the bare domain “pidforum.org”. If I accept the certificate, it then redirects to “https://pidforum.org” as (I assume) intended. I think it’s a good idea to keep the redirect from www.pidforum.org to pidforum.org, but the server config needs to be tweaked to present a valid certificate for www.pidforum.org to make the redirect work.
Hi,
this is escpically fatal because before the move to NISO the server sends strict-transport-security: max-age=63072000
on the domain name which makes it impossible to connect once your browser has cached this (e.g. due to the header also sent before the change to NISO).
Thanks for flagging this and sorry for not spotting it sooner, I’ve been out for the Thanksgiving holiday - I’m now asking my colleague @griffey to look into the issue asap.
I will take a look at this asap…it is, let us say, complicated by the way that we ended up having to move the domain over to our control. The downtime from earlier this Fall was because of a DNSSEC issue that was difficult to straighten out, and I’ve been loath to start messing with it again since it was settled.
I’ll get to this as quick as i can…
So this “tweak” is complicated. There is an existing DNS CNAME forward for the non SSL domain (www. to non-www) but as you noted, this doesn’t work if https is explicitly called by the browser, since there’s no corresponding cert.
However, Discourse prefers to run at the non-www address (per Discourse documentation) and uses LetsEncrypt to automagically request/renew the SSL cert for that address. Further, the whole thing is in a Docker container, so the networking is a layer down from where I would normally be able to mess with it.
Between Docker networking and LetsEncrypt Certbot magic, there are…several things…that could break badly in trying to reconfigure. And I actually don’t know enough about the way Discourse handles Docker upgrades to know whether any attempted reconfiguration would break after an aggressive update.
Does anyone here have direct knowledge of this particular stack interaction? Docker to Discourse to LetsEncrypt adding a redirect?