Certiticate renewal issue
-
@Recliner2042 maybe you can describe your setup?
-
@Recliner2042 Port forwarding is not needed for Digital Ocean setups. It should work automatically. I suspect the issue here is something else.
For a start, you can simply use another browser. Follow this tutorial https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/ to clear the HSTS for your domain. After that, accept (any) selfsigned certificate and login. After login, Domains -> Renew All Certs. Can you check the logs of the certificate renewal to see what is going wrong?
-
This post is deleted!
-
@girish I have these notifications in cloudron:
Email is not configured properly 17 hours ago
Rebbot Required 17 hours ago
Reboot Required Yesterday
The mysql service ran out of memory 6 days agoAfter clicking Renew All Certs and checking the logs, there is this error:
box:reverseproxy ensureCertificate: error: DigitalOcean DNS error 401 {"id":"Unauthorized","message":"Unable to authenticate you"} -
@Recliner2042 I eventually discovered a problem with my transparent proxy running in front of cloudron. It passed some traffic, blocked others, and the HSTS cache probably didn't help.
The other trick is to try incognito mode on chrome if you have HSTS headaches. That seemed to help me.
Sean
-
-
@Recliner2042 The Digital Ocean key for your domain is not working anymore. Go to Domains -> Select the domain and click Save. You will see an error since the API key is not valid. Maybe you revoked it?
As for the notifications, it seems reboot is required (after security updates). And maybe give the MySQL service more memory (Services -> MySQL -> bump memory limit). These are not the reasons for the cert failure though.
-
@Recliner2042 yes. Let's Encrypt certificates are renewed via DNS automation. So, Cloudron needs access to the DNS to get a cert. Without it, it cannot get a cert.
You can also put some specific expiration time for the token. Just remember to refresh it in Cloudron right before the expiration period with another token manually.
BTW, when using DNS to get certs, you don't need port 80.
-
@Recliner2042 It needs to write to DNS . You can read more at https://letsencrypt.org/docs/challenge-types/ (dns-01).
-