SSL Certificate by Cloudron not trusted

jordanurbs

I moved a WordPress install over to Cloudron, switching the domain's DNS in the process, and since then when trying to access this particular domain (slappersonly.co), browsers give a certificate error.

However, there are some oddities: a few refreshes seem to do the trick for me to get the site and WP admin loading, but only until I restart my browser. On the browser I was logged in to before the DNS switch, I get the "you found a cloudron in the wild" message at the WordPress admin page, but the landing page works fine. I've tried clearing my cache and resetting the settings for the domain on my browser, but it has not affected the situation from my browser.

After asking a handful of friends and family to check, it appears that the SSL error is the thing that the public sees. I've attached a screenshot.

Using the DigitalOcean API, Cloudron was generating the default certificate (Let's Encrypt Prod - Wildcard) so I changed it to Let's Encrypt Prod and still nothing.

Have renewed all certs multiple times. Have refreshed DNS from the original provider multiple times. Have rebooted multiple times. Cloudron v6.0.1

Certificate logs:

Jan 15 04:00:00 box:settings initCache: pre-load settings
Jan 15 04:00:01 box:taskworker Starting task 162. Logs are at /home/yellowtent/platformdata/logs/tasks/162.log
Jan 15 04:00:01 box:tasks 162: {"percent":2,"error":null}
Jan 15 04:00:01 box:tasks 162: {"percent":1,"message":"Renewing certs of my.slappersonly.co"}
Jan 15 04:00:01 box:reverseproxy ensureCertificate: my.slappersonly.co certificate already exists at /home/yellowtent/boxdata/certs/my.slappersonly.co.key
Jan 15 04:00:01 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/my.slappersonly.co.cert Certificate will not expire 0
Jan 15 04:00:01 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/my.slappersonly.co.cert subject=CN = my.slappersonly.co domain=my.slappersonly.co issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Jan 15 04:00:01 box:tasks 162: {"percent":34,"message":"Renewing certs of my.slappers-only.com"}
Jan 15 04:00:01 box:reverseproxy ensureCertificate: my.slappers-only.com certificate already exists at /home/yellowtent/boxdata/certs/my.slappers-only.com.key
Jan 15 04:00:01 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/my.slappers-only.com.cert Certificate will not expire 0
Jan 15 04:00:01 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/my.slappers-only.com.cert subject=CN = my.slappers-only.com domain=my.slappers-only.com issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Jan 15 04:00:01 box:tasks 162: {"percent":67,"message":"Renewing certs of slappersonly.co"}
Jan 15 04:00:01 box:reverseproxy ensureCertificate: slappersonly.co certificate already exists at /home/yellowtent/boxdata/certs/slappersonly.co.key
Jan 15 04:00:01 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/slappersonly.co.cert Certificate will not expire 0
Jan 15 04:00:01 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/slappersonly.co.cert subject=CN = slappersonly.co domain=slappersonly.co issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Jan 15 04:00:01 box:reverseproxy renewCerts: Renewed certs of []
Jan 15 04:00:01 box:taskworker Task took 0.209 seconds
Jan 15 04:00:01 box:tasks setCompleted - 162: {"result":null,"error":null}
Jan 15 04:00:01 box:tasks 162: {"percent":100,"result":null,"error":null}

I have plenty of other WP installs with cloudron and this is the only domain that has ever given me issues. Thanks for any help.

girish

@jordanurbs FWIW, the ssl cert of your site is actually fine here. I wonder if this is just some caching issue? Do you see this if you switch browsers/devices? I suspect that the DNS switch from old IP to new IP (or something like that) is not completely propagated and as a result it is trying to contact some other server (and thus the cert warning).

jordanurbs

@girish thanks for looking into it and yeah, it's got every sign of a browser cache issue but I can't pinpoint the actual problem as clearing caches doesn't seem to fix it. Been happening on multiple browsers. I'll check with the domain host and registrar...

girish

@jordanurbs you might have to clear hsts and not just the cache.

mehdi

@jordanurbs I think it's a question of DNS propagation. Can you ping the domain in question from your computer, and check if the IP in question corresponds to the new server, or the old one ?

girish

Right you can also check with curl if it's a browser issue or not? curl https://slappersonly.co. curl will get self-signed cert error if there is some cert issue. You can also do host slappersonly.co to see the IP it is resolving to.

jordanurbs

@girish @mehdi Thank you. I found out that the domain registrar, who had been the domain's host prior to me taking over, was still attempting to generate a Let's Encrypt certificate.

I am assuming that is the issue. I couldn't find any issue with curl (it just showed me the html source?) and dig, host and ping all show the correct IP. As soon as I can close all my tabs to clear HSTS I'll be able to confirm that all is well.

One thing that might be an issue, what about users whose browsers all still carry the old cert settings? I can't have everyone reset their hsts settings.

girish

@jordanurbs said in SSL Certificate by Cloudron not trusted:

One thing that might be an issue, what about users whose browsers all still carry the old cert settings? I can't have everyone reset their hsts settings.

I think most likely this issue is only on your machine and not on others. Atleast, it works for me fine across multiple devices.

jordanurbs

@girish A little update. I cleared my HSTS settings and sure enough it's fine on my machines.

But I also asked a handful of other people to check the domain. Some who have visited the domain before, some who hadn't. They all get the Cloudron in the wild error, particularly when using www before the domain... any ideas?

I've just about given it up and moved it all over to a fresh domain but I figure you should know about it.

girish

@jordanurbs It doesn't looks like you have an app installed on the domain at all. Can you send me the domain to support@cloudron.io or alternately you can post it here if the site is public anyway.

jordanurbs

@girish so I created a new WP install on a different cloudron for the domain, https://slappersonly.co -- everything seems in order now, even for people who had errors before. Meanwhile I switched the older WP install to a new domain on the original cloudron https://slaps.vip .. there do not seem to be any issues for either domain now.

Not too terribly inconvenient as the 2 sites serve different purposes for the same brand, but bizarre nonetheless.