Cloudron Forum

I have also added Service events in the event log for the next release. So, this way, we can know if the service was automatically restarted after cert update.

@nebulon indeed, thank you! For the sake of future users, I guess it could make sense to add information about where to take token and full command line for cURL into the documentation, but it's not directly related to the case.

@girish Perhaps take a look at it from the pull perspective vs push. Maybe even originating the refresh from the mail container side, triggering the others.

This should hopefully be fixed in Cloudron v7.3

@humptydumpty That's right. No way to get wildcard certs with wildcard DNS. To get a wildcard certificate, one needs to be able to program/automate the DNS. Let's Encrypt (acme) protocol requires one to programmatically setup TXT entries as part of getting the certificate. With a wildcard DNS, we have to now way to automatically setup those entries. The protocol for normal certificates has a "http" based flow which allows it to work with a single wildcard entry.

@nj yes with the folder in place there adding the -r to solve this makes sense, however the initial issue is that this folder should not be there in the first place. As the name already suggests, I guess this was just some intermediate manual action to stash certs. Essentially if you don't actively use files in that folder then just delete it to solve this for future releases.

@scooke Interesting. The certificate and the PTR record check shouldn't have anything to do with each other. The PTR record check is really just dig -x IPADDRESS . Can you try that say 10 times over the course of an hour with your VPS server IP and see if it's consistent? As for old certs, they are indeed preserved forever even if you remove the domain from Cloudron itself but the latest release will now clean up obsolete certs which are 6 months old.

@americankulak Ah! thanks for the update.

@d19dotca I fixed this now. It cleans up certs which expired 6 months ago.

@humptydumpty Yes, correct. Server restart won't fix the issue, have to restart the service explicitly (since it copies over certs).

@humptydumpty haha! whoops - on it - great find!!!

how embarrassing. You're absolutely right. I was searching after ghosts.

@girish thanks a lot for your answer.i appreciate.

@girish Many thanks. My mistake, I was so convinced auto-update was running that I didn't notice. After updating to latest Cloudron version, all problems have resolved Thanks again T.

@girish Already solved this problem myself thanks

@mehdi This my friend is a good point, thank you for pulling me out of the tunnel. lol

@girish Gotchya, ok. Makes sense, thank you

@privsec said in Let’s encrypt certificates expiring?: Like can there be a memory within cloudron of all subdomains used and when it comes time to renew, just renew it on all of those subdomains? That's the current behavior. It only renews domains that are in use in Cloudron. AFAIK, there is no way to tell Let's Encrypt to "forget a subdomain" that we had gotten a certificate before. This is the reason why you get the reminder emails from Let's Encrypt about old domains.

@svallory Accept self-signed certs and login to dashboard. Once logged in, I would first go to settings and check for updates/update all the way to Cloudron 6. This is because LE made a change in the last few months which makes cert renewal fail on Cloudron side. Once updated, Domains -> Renew all certs.

@nebulon said in Managing SSL certs via Cloudron CLI: you have to "forget" the page in your browser yes, or visit the site in an incognito session. Clearing these entries from the profile in Chrome is slightly more complicated, but doable as well. https://msutexas.edu/library/clearhsts.php