SSL certificate failing
-
Please provide the logs from the failing certificate renewal task. You can trigger one as mentioned at https://docs.cloudron.io/certificates/#manual-renewal and there you will also see the logs.
-
Hi @nebulon
I've tried the manual renewal process multiple times already.
Also, upon inspecting the logs, i found that the certificate for the 'root domain' is not being renewed to begin with!
Could that be the issue/bug here?
@shrey there is renewal logs in the top right of the Renew certificates box (the dropdown). In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.
Also, just to clarify... certificate of *.domain.com are not included in domain.com . This is just how the certs work. Unless you use domain.com in some app explicitly, it won't get certs for that at all.
-
@shrey there is renewal logs in the top right of the Renew certificates box (the dropdown). In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.
Also, just to clarify... certificate of *.domain.com are not included in domain.com . This is just how the certs work. Unless you use domain.com in some app explicitly, it won't get certs for that at all.
The concerned domain, let's call it "domainX".
- My cloudron instance is accessed with the url :
https://my.domainX - There are a whole bunch of apps (
*.domainX) in use
@joseph said in SSL certificate failing:
In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.
There's no mention of a certificate renewal attempt for just "domainX" in those very logs, only for all the apps using it with
*.domainX
The original certificate for domainX was issued by/via Cloudron itself (if i'm not mistaken?), as seen below, so, i'm not sure what you mean here.
- My cloudron instance is accessed with the url :
-
So do you have an app installed on the root domain then? Otherwise if nothing is installed on domain.com but everything else just on subdomains of that, then Cloudron will not even attempt to renew a cert for an unused domain.
- No, I don't have any app installed on the root domain
- The root domain points to the Cloudron instance. The certificate is now expired.
So, irrespective of the existence of any apps on it, a valid certificate is indeed required for it (which is also why Cloudron issued it one, on the occasion of first install, right?) - The well known locations work off the root domain, e.g. the Matrix server (https://domainX/.well-known/matrix/server), and which is now failing in my case (which is what pushed me down this unfortunate rabbit hole)
-
Ah ok that explains it then. So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.
For the .well-known to work, you need to add an app on the root domain, or set an redirect in one of the apps from the root domain. Then Cloudron will start fetching and renewing certs.
I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.
The dialog where you configure the well-known for a domain, has a note about this, but it is probably not obvious enough..
-
Ah ok that explains it then. So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.
For the .well-known to work, you need to add an app on the root domain, or set an redirect in one of the apps from the root domain. Then Cloudron will start fetching and renewing certs.
I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.
The dialog where you configure the well-known for a domain, has a note about this, but it is probably not obvious enough..
@nebulon said in SSL certificate failing:
So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.
@nebulon said in SSL certificate failing:
I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.
See ->
@nebulon What do you mean?
The pointing of a domain and all of its subdomains, in this manner, implies precisely this, that the domain is managed exclusively by Cloudron.
-
So wildcard is only for subdomains of a domain. The domain.com record is not covered by wildcard.
But yes the instructions probably sound like both *.domain.com and domain.com are in fact managed by Coudron, but all I can tell you that unless an app is using a domain, the certs will not be renewed. Maybe we can be smarter about this in the future, but to solve your problem this is what is required.Note a redirect to an existing app will also work.
-
G girish has marked this topic as solved on
