Domain cleanup lacking, by design?

Shai

Yesterday I was having trouble with a cert. It turns out the underlying problem may have been Let's Encrypt being down for some time. Which is probably a pretty rare event.

In my troubleshooting attempts I tried switching to a staging cert. It was after I made that switch that Let's Encrypt seemed to come back on line. And so I got a staging cert. Which was of no help since the site was actually a production site and the browser warnings are ominous.

The log message when I clicked "Renew all certs" was that no cert was issued because one already existed. I had already edited the domain and chosen "wildcard prod" but that didn't make a difference.

In fact, deleting the domain from from my.example.com/#/domains and re-adding (also with Wildcard prod) did nothing.

Then I ssh-ed into the Ubuntu 20.04 server Cloudron runs on and went to: /home/yellowtent/boxdata/certs

and I

sudo rm exampleapp.com*
sudo rm _.exampleapp.com*

I went back to my.example.com/#/domains and clicked "Renew all certs" and all was good.

While I was in /home/yellowtent/boxdata/certs I noticed that any domain that I had previously deleted still had certs there.

Is this by design? If so, why?

Also, how is one supposed to replace a staging cert with prod one?

girish

@shai yes, old certs are not removed intentionally. This is because LE has rate limits for getting certs. So, if you say uninstall an app "test.exampleapp.com" and install again, we don't delete the certs at uninstall time and re-use certs from the previous install.

d19dotca

@girish It might be good to have a prompt when deleting a domain if a user wants to delete the related certs too (much like how we changed the email deletion prompt to also ask whether to keep the contents on disk or delete the contents from disk). Or just behind-the-scenes delete the certs after a short period of time (a few days?) for a removed domain. Keeps things clean.

girish

@d19dotca mm, possibly. We then have to explain cert rate limits etc. I will keep this open in case it comes up again but for now one can just delete those fails and Cloudron will simply get a new cert.

Shai

@girish is there any way to delete unwanted certs via the my.example.com Cloudron dashboard? Or is it the case that ssh'ing into the server and deleting them at /home/yellowtent/boxdata/certs is the only way?

Also, I suggest that the Cloudron cert documentation explicitly mention that switching to a prod cert from staging requires that the staging certs be deleted.

d19dotca

@shai You'd need to SSH to it to delete the certs.

girish

@shai said in Domain cleanup lacking, by design?:

Also, I suggest that the Cloudron cert documentation explicitly mention that switching to a prod cert from staging requires that the staging certs be deleted.

This seems like a bug. We actually have code to do this automatically - https://git.cloudron.io/cloudron/box/-/blob/master/src/reverseproxy.js#L122 . Let me see why it fails.

girish

I have verified this works now. There are lots of cert related changes in the master branch, so it probably got fixed magically.

d19dotca

@girish I was looking through the list of certs on my server, and found many certs that haven't been used for at least a 4 - 9 months. This is likely more applicable when using individual certs per app hostname as opposed to wildcard certs, but I would suggest it makes sense to automatically cleanup certs from the file system at least after 3 months when they expire. What good is a Let's Encrypt cert that's 6 months old (expired 3 months ago), for example?

girish

@d19dotca sounds like a good idea, i made a task - https://git.cloudron.io/cloudron/box/-/issues/783

girish

@d19dotca I fixed this now. It cleans up certs which expired 6 months ago.