New platform (work in progress)


(Michael Friedrich) #1

About

This is a new Discourse setup which is being built for the near future. As I prefer development in the open, you can see and follow the progress “live”.

Update 02.01.2018: It is live: Welcome to our #monitoringlove platform

New registration required

The old forum has ~17k users.

I’m hoping that everyone understands that

  • we cannot import all of them here, many inactive and long term users since 2003.
  • we cannot import the passwords.
  • the data in /woltlab is sealed and secured, no-one has access to your private data.

Please register a new account in the upper right corner. Either with your Email address or by using Github or Twitter oauth (you need to authorise this application to authenticate and fetch your mail address, nothing more).

If you think that someone else has taken your beloved nickname, please send me a PM including the URL to the old forum’s user profile and we’ll sort this out :slight_smile:

Read-only archive at /woltlab

The forum at monitoring-portal.org/woltlab is read-only and allows you (or Google) to search for content and get help. Redirects are in place.

New posts here

You cannot reply, like, create, etc. in the archive - please start a new thread there with an URL to the archived thread.

Updates

(01.01.2018 18:32 CEST)

You can

  • register an account (local, Twitter/GitHub oauth)
  • learn from discobot tutorials
  • create topics and ask your questions
    • yes, start here please, bring this platform to life :+1:
  • start writing howtos
  • explore Discourse and suggest updates/features
  • apply as moderator or admin (PM me)

Notable Changes

General insights into Discourse: https://meta.discourse.org & https://github.com/discourse

  • The primary and only language on this platform is English.
  • Posts can be written using Markdown, just like Github. The right panel provides a live Markdown preview as you type.
  • Threads can be “wiki” style. This will be enabled for howtos and other entries.
  • The best solution can be accepted by the author (“solve the thread”).
  • Endless page scrolling
  • Responsive design
  • Conversation and questions being asked is simplified
  • Spam prevention. No captchas against bots, but Akismet against user spam: https://github.com/discourse/discourse-akismet (you know it from Wordpress)
  • This platform is open source only. Enterprise editions won’t be discussed.

Categories

  • Icinga is the number one traffic in the old forum, only the 2.x categories have been added. 1.x is gone for good, as being EOL.
  • Nagios is low traffic, so I merged it into OMD where two candidates already sit: Labs and CheckMK.
  • Job offers and the “misc” category is fully gone. They just bloat the layout.
  • Addons & Plugins has been split into more generic categories (as I use to call them in my Icinga talks)
  • Archived categories in the old forum have not been added again. Naemon also is gone, there wasn’t much activity. Use “Nagios” if needed.
  • Anything else doesn’t mean gargabe, instead it should help to test with posts and tests. It doesn’t receive much attention at the bottom though.
  • Howto as category allows you to write wiki articles editable by others.

Ongoing tasks

  • Find and fix bugs
  • A bit more styling and customizing
  • Optimize performance
  • Upgrade Ubuntu platform (and Nginx)
  • Publish setup documentation (95% done in here already)

Done

(in this order)

Setup

  • External mailing currently via smtp.easyname.com (in case you’re wondering about changed headers)
  • Discourse Docker environment


(adopted for 14.04)

mkdir /var/discourse
 
git clone https://github.com/discourse/discourse_docker.git /var/discourse

cd /var/discourse
./discourse-setup
  • Nginx proxy

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1091/37/certificate-installation--nginx

apt-get install nginx

rm /etc/nginx/sites-enabled/default

vim /etc/nginx/sites-available/proxy.conf
server {
    listen 80; listen [::]:80;
    server_name monitoring-portal.org;
    # enforce https
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;  listen [::]:443 ssl;
    server_name monitoring-portal.org;
    # debug
    # rewrite_log on;
    # error_log    /var/log/nginx/monitoring-portal.org.debug.log debug;
    # debug

    ##### TLS
    ssl on;
    ssl_certificate      /etc/nginx/ssl/monitoring-portal.org-bundle.crt;
    ssl_certificate_key  /etc/nginx/ssl/monitoring-portal.org.key;

    # Don't support SSLv3 and TLSv1
    ssl_protocols TLSv1.1 TLSv1.2;

    # Strict limit to avoid weak ciphers
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;

    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver ns1.netways.de;

    # Cache SSL Sessions for up to 10 minutes
    # This improves performance by avoiding the costly session negotiation process where possible
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_session_timeout 5m; # this is a default, but can be changed
    ssl_session_tickets off;

    ##### HSTS for A+ rating
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    ##### Stats
    #location /basic_status {
    #   stub_status;
    #}

    ##### Old Woltlab platform

    # Fallback for old redirects (3.x Redirector).
    location /wbb {
        rewrite ^/wbb(.*)$ /woltlab/wbb/$1 permanent;
    }
    # Help bots to find the new URLs.
    location /cms {
        rewrite ^/(.*)$ /woltlab/$1 permanent;
    }
    # WBB uses index.php everywhere, Discourse does not. Help bots.
    # Note MF: The leading slash is important!
    location /index.php {
        rewrite ^(.*)$ /woltlab$1 permanent;
    }
    # Redirect cached JS requests
    location /js/WBB.min.js {
        rewrite ^(.*)$ /woltlab$1 permanent;
    }

    location /woltlab {
        proxy_pass https://127.0.0.1:8443;
        proxy_set_header   X-Real-IP $remote_addr;
        # https://stackoverflow.com/questions/4616521/nginx-configuration-leads-to-endless-redirect-loop
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    ##### New Discourse platform

    # Error page if Discourse socket is unreachable
    location /errorpages/ {
        alias /var/discourse/shared/errorpages/;
    }

    # Custom static images
    location /static/images/ {
        alias /var/discourse/shared/static/images/;
    }

    location / {
        error_page 502 =502 /errorpages/discourse_offline.html;
        proxy_intercept_errors on;
        # Requires containers/app.yml to use websockets
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}
ln -s /etc/nginx/sites-available/proxy.conf /etc/nginx/sites-enabled/proxy.conf
 
service nginx restart

Many thanks to @adhutch for testing the redirects :heart:

  • Offline site when rebuilding Discourse
  • Discourse via UNIX socket to Nginx
cd /var/discourse

vim /var/discourse/container/app.yml
 

# egrep -v "^$|#" /var/discourse/containers/app.yml
templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
expose:
params:
  db_default_text_search_config: "pg_catalog.english"
env:
  LANG: en_US.UTF-8
  DISCOURSE_HOSTNAME: monitoring-portal.org
  DISCOURSE_DEVELOPER_EMAILS: 'michael.friedrich@gmail.com'
  DISCOURSE_SMTP_ADDRESS: smtp.easyname.com
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: xxx
  DISCOURSE_SMTP_PASSWORD: xxx
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discourse/discourse-akismet.git
          - git clone https://github.com/discourse/discourse-solved.git
run:
  - exec: echo "Beginning of custom commands"
  - exec: echo "End of custom commands"


./launcher rebuild app

Archive

  • Woltlab-Forum is available at /woltlab

Plugins

Basics and Import

  • Test-drive Github and Twitter oauth login
  • Find the best category layout
  • Update category descriptions
  • Import pinned and important threads from old platform

Static Content

  • Update FAQ and other pages
  • Add sponsors/logos
  • Add default tags
  • Test-drive solved threads
  • Explore hidden features, e.g. keyboard shortcuts
  • Discourse help with Markdown, etc. in the FAQ

Footer

<footer class="site-footer">
    <div class="wrap">
        <p><a href="/privacy">Privacy Policy</a>, <a href="/tos">Legal Notice</a> & <a href="/faq">FAQ</a>.
        Thanks to <a href="https://www.netways.de" target="_blank">NETWAYS</a> for hosting and sponsoring SSL certificates.
        Monitored with <a href="https://www.icinga.com">Icinga</a>.
        </p>
        <a href="https://www.netways.de" target="_blank"><img src="/static/images/hosted_by_netways_logo.svg" width=150 alt="Hosted by NETWAYS"></a>
    </div>
</footer>

Discobot Tutorial

Wiki

  • Add threads as “wiki” entry where users can edit. This involves
    • Howtos

Badges

Plugins

  • Evaluate plugins: Nothing more than solved and akismet is needed currently.

Announcement

  • Announce new platform via old platform admin mailing, social media, etc.

https://monitoring-portal.org/t/welcome-to-our-monitoringlove-platform/157/2


Welcome to our #monitoringlove platform
Naemon category
(Michael Friedrich) #2

(Michael Friedrich) #3

Discourse offers a browser site search (Chrome specific I guess).


(Michael Friedrich) #4

monitoringlove

You can like posts (as it was before, but with more :heart:).

Emojis and Image Uploads

Discourse also supports emojis (hint: try it out). Image uploads work the same way as known from Github, including automated resizing in the background.

Share your love

Social sharing is also enabled for each post, this makes it easier to copy paste or directly tweet it :wink:


(Michael Friedrich) #5

Image Upload

You can also paste an URL from the web and embed the image.

Hint

In order to stay safe, Discourse starts a system job to download a local cached copy. It then automatically updates the post :heart:


(Michael Friedrich) #6

Discourse also knows when someone else is currently replying. It keeps your sessions opened among many tabs too.

Whilst replying to a thread, I saw that @mcktr is here too :heart:


#7

As you answered I saw it instantly, without reloading the page :slight_smile:


(Michael Friedrich) #8

Hehe. I built the Docker environment based on the latest 1.9 beta on Thursday, thought I would need to do more and rebuild the app more often. This really runs stable :slight_smile:

Some technical background

  • Ruby on Rails app written in ember.js
  • Ruby message bus system
  • unicorn as rails web app running in Nginx
  • sidekiq executes events, e.g. sending mails for notifications
  • PostgreSQL as primary storage backend
  • Redis for caching

Technical advantages over Woltlab

  • realtime jobs, no fake cronjobs where one needs to query the URL
  • markdown support builtin everywhere
  • scalable architecture with PostgreSQL & Redis. Remember that Woltlab costs extra with Elasticsearch for the search.
  • modern JS and CSS
  • real oauth

Well, and obviously things I haven’t found out yet. It has page load stats, logs without creepy error ids (but searchable), a rest api, even monitoring URL endpoints.


#9

The markdown support is a really good and nice advantages. I sometimes had a weird formatting in the woltlab board when used the code tags. I think the markdown support here will help a lot for quick and easy formatting. :slight_smile:


(Michael Friedrich) #10

To be honest - the HTML editor in Woltlab has become worse in 5.x (and that for an app you pay money for). It literally slows me down when replying. And the JS doesn’t allow to copy into a terminal, I always have strange UTF8 characters in my config.

That, and many other small things made me think how I could solve the existing setup with an Nginx proxy in front of 2 docker containers (woltlab and discourse), plus solving the mail problem with an external mail provider instead of taking care of that myself.

Right now I am filling the categories with content - need to look it up how to make it a wiki, but still, mods can edit. Then I will link from the FAQ directly to those sub posts.

Once that’s done, I’ll look into general styling (or wait until Florian is back in the office, he’s my UX guru).

Tags are filling as I write. There’s a trust system in place which prevents users with level 0 from doing more than basic things. Creating tags will be granted with level 1 for example. It is a learning system, and honours work with likes and badges.


(Nicolai) #11

Maybe you want to use Diffie-Hellman parameters in the nginx config:

Generate dhparams

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

and add to nginx.conf

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

(Michael Friedrich) #12

Good point, thank you (that’s why I’ve posted everything above :heart: )

-> https://www.sherbers.de/howto/nginx/

I’ll also update Nginx away from Ubuntu’s one into their uptodate repository (that’s an ongoing step in the future).

Discourse also has a plugin which analyses the Nginx logs, and puts stats into a thread for admins. That way I can easily analyse wrong redirects.

I’ve just fixed

  • the footer images which contained hardcoded image paths, added /woltlab (forgot about Woltlab’s template engine)
  • /js/WBB.min.js seems to be cached in many places, now properly redirects

Config above is updated soon.


(Michael Friedrich) #13

The about page lists admins & moderators: https://monitoring-portal.org/about

Thank you for joining here, @KevinHonka @mcktr @sysadmama and following our journey :heart:

PS: You can start typing to search for emojis just like on Github. Start with a colon and then e.g. h e a r t.


(Michael Friedrich) #14

  • TOS & Privacy Policy have been updated too, contains the legal information required by German law.
  • A footer has been added, this links to the legal page (required by German law on all pages) and says thanks. Couldn’t help myself, I get notifications from our Icinga at NETWAYS for this site, needed to add this. The logo is a requirement by my employer for hosting this site without any fees to pay for.
<footer class="site-footer">
    <div class="wrap">
        <p><a href="/privacy">Privacy Policy</a>, <a href="/tos">Legal Notice</a> & <a href="/faq">FAQ</a>.
        Thanks to <a href="https://www.netways.de" target="_blank">NETWAYS</a> for hosting and sponsoring SSL certificates.
        Monitored with <a href="https://www.icinga.com">Icinga</a>.
        </p>
        <a href="https://www.netways.de" target="_blank"><img src="/static/images/hosted_by_netways_logo.svg" width=150 alt="Hosted by NETWAYS"></a>
    </div>
</footer>


(Michael Friedrich) #15

I’ve read a bit on meta.discourse.org yesterday, and I’ve found that they use the platform as bug tracker. Not so important here, but they also document every little thing in Discourse themselves.

Meaning to say, a “Howto” category with topics as wiki entries.

This made me think - I love writing documentation in Markdown. I also love writing howtos (just don’t have the time to). Do you think the same? :wink:

Let’s try this: Guidelines for writing howtos


(Michael Friedrich) #16

And the awesome discobot learning system, if you haven’t found out by yourself: New users: Explore Discourse with discobot


(Michael Friedrich) #17

Badges

I want to add more awards for solving threads. A similar thing is already live here:

https://meta.discourse.org/badges/125/helpdesk
https://meta.discourse.org/badges/126/tech-support

The solved plugin is officially supported by Discourse, as mentioned here: https://meta.discourse.org/t/discourse-solved-accepted-answer-plugin/30155

Adding the badge SQL isn’t possible via the web interface by default (web admins fiddling in the database or something like that). Must be enabled manually: https://meta.discourse.org/t/badge-sql-can-no-longer-be-edited-by-default/47894

root@monitoring-portal:/etc/nginx/ssl# cd /var/discourse/
root@monitoring-portal:/var/discourse# ./launcher enter app

root@monitoring-portal-app:/var/www/discourse# rails c

[1] pry(main)>
[2] pry(main)> SiteSetting.enable_badge_sql = true
=> true
[3] pry(main)>

No app rebuild necessary, this is magic rails.


(Michael Friedrich) #18

“solved topics” now provide 4 more badges, more here: Honouring your community work


(Michael Friedrich) #19

(Michael Friedrich) #20

discobot certificate rendering fixed

So, I was investigating on why SVG rendering in discobot’s certificate did not work.

Turns out, the rails log says that ruby cannot verify the SSL certificate. Hum. Reading this thread sheds some light, it attempts to fetch the site logo directly via https and embed it into SVG. Still, the logo setting is there and the logo itself can be fetched.

Started GET "/discobot/certificate.svg?date=Jan+01+2018&user_id=60" for 93.193.119.217 at 2018-01-01 14:40:28 +0000
Processing by DiscourseNarrativeBot::CertificatesController#generate as SVG
  Parameters: {"date"=>"Jan 01 2018", "user_id"=>"60"}
Completed 500 Internal Server Error in 1956ms (ActiveRecord: 22.2ms)
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed)
/usr/local/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock'

Reads like a generic Ruby SSL verification failure.

root@monitoring-portal:/var/discourse# docker exec -ti app bash
root@monitoring-portal-app:/# irb
irb(main):001:0> require 'open-uri'; open 'https://monitoring-portal.org'
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
	from /usr/local/lib/ruby/2.4.0/net/protocol.rb:44:in `connect_nonblock'
	from /usr/local/lib/ruby/2.4.0/net/protocol.rb:44:in `ssl_socket_connect'
	from /usr/local/lib/ruby/2.4.0/net/http.rb:948:in `connect'
	from /usr/local/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
	from /usr/local/lib/ruby/2.4.0/net/http.rb:876:in `start'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:323:in `open_http'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:741:in `buffer_open'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:212:in `block in open_loop'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:210:in `catch'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:210:in `open_loop'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:151:in `open_uri'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:721:in `open'
	from /usr/local/lib/ruby/2.4.0/open-uri.rb:35:in `open'
	from (irb):1
	from /usr/local/bin/irb:11:in `<main>'

So, the browser thinks the certificate is valid, but client libraries do not. Let’s investigate directly with OpenSSL.

openssl s_client -connect monitoring-portal.org:443 -showcerts -CApath /etc/ssl/certs


CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = monitoring-portal.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = monitoring-portal.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=monitoring-portal.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=monitoring-portal.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2548 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 3C82B6C72D31E81A5EDEF002256FEF9912077EC94FCAFCCF3454D5D8D4322D8B
    Session-ID-ctx:
    Master-Key: 3DB5BADE9C095DC20677499BC1D0FDCAE3A986115CF62C3ECBA338BDA842DB7E2EE3CAD6940CC55E0EDDC1A2690D644A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fe cb 2d 28 9c 85 56 71-fe 38 a7 bb 9b ba cc 01   ..-(..Vq.8......
    0010 - fc 60 fe cb ce 12 06 0f-2a c2 5d 8b 32 47 c2 72   .`......*.].2G.r
    0020 - e4 31 18 ea 01 b3 3c da-31 c0 3e 63 fd 8b ba 40   .1....<.1.>c...@
    0030 - 0c fc db dd cd 27 78 ae-91 5c c0 50 5a c8 5d d2   .....'x..\.PZ.].
    0040 - 50 e5 07 8a 28 7b 1e cd-ef 1e f4 69 cd e8 d9 d9   P...({.....i....
    0050 - 30 f5 e2 17 e4 49 7e 9a-bf 89 d2 54 b2 70 70 a5   0....I~....T.pp.
    0060 - 11 5a d8 6b bb 6b a1 34-4f b5 df b6 60 8f 86 ae   .Z.k.k.4O...`...
    0070 - 1e 30 af 1d 57 a2 6e c9-61 ad 1b be ca d5 b9 ed   .0..W.n.a.......
    0080 - 26 d2 1d 06 b9 02 8d 49-e2 af 24 03 80 14 7d 65   &......I..$...}e
    0090 - 46 cd 07 7f c8 0f f7 47-ac dd e0 11 c7 96 3e 6a   F......G......>j
    00a0 - df 37 2b 80 c1 e5 5c b0-df 17 a5 fc 31 80 05 63   .7+...\.....1..c

    Start Time: 1514842753
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

The additional return code brought me to some interesting threads.


https://support.comodo.com/index.php?/Knowledgebase/Article/View/1091/37/certificate-installation--nginx
https://mozilla.github.io/server-side-tls/ssl-config-generator/

I’ve never heard of OCSP inside certificates, but it reminds me of SRV DNS records for Exchange.

After settings those, everything works fine. Turns out, they are not optional as the Comodo knowledge base implies.

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, CN = monitoring-portal.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=monitoring-portal.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/CN=monitoring-portal.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5502 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 822306AB700E26BC19012429539D65B2F69AD2B16D53C2941157D9F607E2A2EA
    Session-ID-ctx:
    Master-Key: 243D72B4C0B735046F45FC435EE523A1D1D4C7F4BD0F1314D71925EBEDA38C1FE4771C98AEC5637FFD658194A9E0EE70
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - da 99 14 49 6a dc 0a bd-ce 1a fc b4 b7 7f f3 98   ...Ij...........
    0010 - 1d d9 64 ca c1 9f 4e 61-b9 de 04 88 fd e4 47 31   ..d...Na......G1
    0020 - 08 0d 55 87 59 e7 f7 19-a7 52 bd 1f d1 c8 e8 d3   ..U.Y....R......
    0030 - f3 c7 a3 2c 79 7a c7 b4-13 2f 46 37 bd 6f 36 b8   ...,yz.../F7.o6.
    0040 - 95 00 f6 5f 03 c2 93 79-0b 8b 89 f6 59 2d 37 0b   ..._...y....Y-7.
    0050 - 20 e7 27 b3 aa c4 74 46-db 8f 41 a9 64 c6 cf b1    .'...tF..A.d...
    0060 - d8 91 39 fe ad 40 77 6b-6f 5e 41 f2 0f 9f 06 c9   ..9..@wko^A.....
    0070 - a8 69 8d 15 d5 bd db aa-c3 2c 65 36 64 87 5b 6b   .i.......,e6d.[k
    0080 - 94 30 63 d7 51 b3 53 04-52 77 61 30 fb c2 23 57   .0c.Q.S.Rwa0..#W
    0090 - ba e4 48 39 d6 71 69 80-24 bd 62 be 8e c2 10 c1   ..H9.qi.$.b.....
    00a0 - c0 00 cc 2f c4 05 f8 de-38 98 97 11 f7 f9 e2 b0   .../....8.......

    Start Time: 1514844216
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Rationale

Some of you tried the discobot tutorial, and ran into a 500 when rendering the certificate image. This is now fixed, just navigate into the private message conversation again. @mcktr

PS: Years ago I would have banged my head against the wall. Doing lots of OpenSSL with Icinga 2 & Dashing helped a lot.