@nj yes with the folder in place there adding the -r to solve this makes sense, however the initial issue is that this folder should not be there in the first place. As the name already suggests, I guess this was just some intermediate manual action to stash certs. Essentially if you don't actively use files in that folder then just delete it to solve this for future releases.

@scooke Interesting. The certificate and the PTR record check shouldn't have anything to do with each other. The PTR record check is really just dig -x IPADDRESS . Can you try that say 10 times over the course of an hour with your VPS server IP and see if it's consistent?

As for old certs, they are indeed preserved forever even if you remove the domain from Cloudron itself but the latest release will now clean up obsolete certs which are 6 months old.

@americankulak Ah! thanks for the update.

@d19dotca I fixed this now. It cleans up certs which expired 6 months ago.

@humptydumpty Yes, correct. Server restart won't fix the issue, have to restart the service explicitly (since it copies over certs).

@humptydumpty haha! whoops - on it - great find!!!

how embarrassing. You're absolutely right. I was searching after ghosts.

@girish thanks a lot for your answer.i appreciate.

@girish
Many thanks.

My mistake, I was so convinced auto-update was running that I didn't notice.

After updating to latest Cloudron version, all problems have resolved 👍

Thanks again
T.

@girish Already solved this problem myself thanks

@mehdi
This my friend is a good point, thank you for pulling me out of the tunnel. lol

@girish Gotchya, ok. Makes sense, thank you

@privsec said in Let’s encrypt certificates expiring?:

Like can there be a memory within cloudron of all subdomains used and when it comes time to renew, just renew it on all of those subdomains?

That's the current behavior. It only renews domains that are in use in Cloudron. AFAIK, there is no way to tell Let's Encrypt to "forget a subdomain" that we had gotten a certificate before. This is the reason why you get the reminder emails from Let's Encrypt about old domains.

@svallory Accept self-signed certs and login to dashboard. Once logged in, I would first go to settings and check for updates/update all the way to Cloudron 6. This is because LE made a change in the last few months which makes cert renewal fail on Cloudron side. Once updated, Domains -> Renew all certs.

@nebulon said in Managing SSL certs via Cloudron CLI:

you have to "forget" the page in your browser

yes, or visit the site in an incognito session. Clearing these entries from the profile in Chrome is slightly more complicated, but doable as well.

https://msutexas.edu/library/clearhsts.php

@mastadamus If you use namecheap API, you don't need port 80. This is because Cloudron will use Let's encrypt DNS automation to get certs. Note that this will require you to sometimes type "https://" explicitly in some browsers because some browsers will default to connecting on port 80 and then the redirect will take it to the https site. In addition, Cloudron has HSTS, so future connects will directly be to 443 and no redirect dance.

@eivlil01 said in Using my own certificates:

@girish I'm using the DNS based challenge, but for a wildcard entry.

Cloudron only supports http based challenge for wildcards, or DNS based challenge but then it creates one entry per app.

Ah, I see what you are saying now. So you have a wildcard DNS entry pointing to the server but also use DNS automation to get wildcard certs. Indeed, Cloudron does not support that.

@girish so I created a new WP install on a different cloudron for the domain, https://slappersonly.co -- everything seems in order now, even for people who had errors before. Meanwhile I switched the older WP install to a new domain on the original cloudron https://slaps.vip .. there do not seem to be any issues for either domain now.

Not too terribly inconvenient as the 2 sites serve different purposes for the same brand, but bizarre nonetheless.

@jdaviescoates nope, just regular domains, not sure why but will just wait and see I guess

@niko You have to convert the app into a Cloudron app for all this to reliably work. We don't support running/installing other things other than Cloudron on the same server. This is because Cloudron will overwrite nginx configuration etc from time to time (for example, updates bring in new configuration).

If your app has a Dockerfile, you can make it a custom app with not too much work - https://docs.cloudron.io/custom-apps/tutorial/ . Custom app will automatically get certs, backups, restore, clone features etc with no extra work. What framework/language does your app use?

Since, we got so many support tickets about this already 🙂 I will paste what I said in the other thread.

Let's Encrypt have started using R3 as the intermediary cert - https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/ . This cert has issuer text slightly different. Since the text has changed, Cloudron tries to renew the certs too early and this results in the above notification. The notification can be ignored since it's a false alarm, the certs and sites will be fine.

There are two ways to fix this:

Update to Cloudron 6 - you can go to Settings -> Check For Updates and then Update. It will give a notification that it is unstable. It's reasonably safe to update, the notification exists because we roll out updates very slowly to keep support manageable for us. Please expect some downtime (like 10 mins) since the update re-configures all the docker containers.

Alternately, you can make this one line change in your current Cloudron version - https://git.cloudron.io/cloudron/box/-/commit/3e62f1913ab05750a343c197c519d38bf17d5b3b . The file is /home/yellowtent/box/src/reverseproxy.js and then systemctl restart box.

@girish feeling lazy, will wait for the official update 🙂

So I'm pretty convinced the issue was the way I wrote the CAA records. I think my DNS provider didn't need the double-quotes in there and it caused issues. Reason I say that is because after introducing the CAA records, I suddenly had the certificate renewal errors.

Then when using a DNS check tool and I looked up CAA records for Google and Mozilla and more, none of them had the double-quote in there, but mine did. So I am sure that was the issue, as everything worked fine again after I removed the double-quotes.

I suspect the double-quotes was being taken literally as a string and so letsencrypt.org is not the same as "letsencrypt.org" in the DNS CAA record. I was able to later find the logs I had seen in the early morning which shows the following which confirms my conclusion: CAA record for <domain> prevents issuance.

So for anyone who comes across this later, make sure you're not using double-quotes I guess. haha.

@wu-lee do you know why it had failed to renew previously?

@d19dotca Ah, I see this on our server as well. It seems that this is printed for all incoming mails because Haraka tries to transfer mail to Dovecot via TLS (via LMTP). Disabling SSL removes the message. Since the message transfer is internal, it's fine. I have pushed the fix for next release but the message is safe to ignore.

@girish Sorry for the late reply, I the default forum settings were to send me email notifications once a week, I have changed that to daily.

I was trying to use the self-signed certificate for all apps.

I have gone ahead and followed the steps in the blog article I linked to and was able to upload the full CA and web server cert chain to Cloudron and after getting the root certificate authority into all the devices accessing Cloudron everything is working well from Windows and iOS based devices.

It looks like Apple is going to be decreasing the certificate lifetime further down to 398 days so you may want to lower the lifetime down to a year to get ahead of that change.

@andrewj720 Looks like DNS is not working on your server. You can also try host cloudron.io etc, I guess none of it working?

Can you check if your cloud firewall allows outbound port 53 UDP ? I think there was a post on this forum some time ago that someone had it blocked in AWS security group by mistake, for example.

Some technical details on the issue. In 5.6, we allow the mail server name to be set and for this we introduced a database field called mail server name. For some reason, if an update only went through half way, the database migration scripts did not complete fully and this mail server name field is not populated in the database. This in turn results in the mail container not getting the correct certificate.

The first command /home/yellowtent/box/setup/start.sh is running the database migrations. The second command is restarting cloudron code. The third command is re-configuring mail container with the correct certificate.

@marcusquinn said in Lets Encrypt renewal time:

Without looking at that screen again, maybe it wasn't clear it should recommend using the root domain for that input?

I think many people start out just like you did and then move it to the main domain. We don't put the recommendation as such because I think it can be scary to throw your root domain and API credentials into a product you are just first trying out.