Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. SSL certificate failing

SSL certificate failing

Scheduled Pinned Locked Moved Solved Support
certificatesrenewal
10 Posts 3 Posters 1.0k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    shrey
    wrote on last edited by girish
    #1

    The certificate for my main domain (configured in Cloudron using Wildcard DNS) has expired and is not refreshing.

    How to resolve this?

    1 Reply Last reply
    0
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #2

      Please provide the logs from the failing certificate renewal task. You can trigger one as mentioned at https://docs.cloudron.io/certificates/#manual-renewal and there you will also see the logs.

      S 1 Reply Last reply
      0
      • nebulonN nebulon

        Please provide the logs from the failing certificate renewal task. You can trigger one as mentioned at https://docs.cloudron.io/certificates/#manual-renewal and there you will also see the logs.

        S Offline
        S Offline
        shrey
        wrote on last edited by
        #3

        Hi @nebulon

        I've tried the manual renewal process multiple times already.

        Also, upon inspecting the logs, i found that the certificate for the 'root domain' is not being renewed to begin with!

        Could that be the issue/bug here?

        J 1 Reply Last reply
        0
        • S shrey

          Hi @nebulon

          I've tried the manual renewal process multiple times already.

          Also, upon inspecting the logs, i found that the certificate for the 'root domain' is not being renewed to begin with!

          Could that be the issue/bug here?

          J Offline
          J Offline
          joseph
          Staff
          wrote on last edited by
          #4

          @shrey there is renewal logs in the top right of the Renew certificates box (the dropdown). In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.

          Also, just to clarify... certificate of *.domain.com are not included in domain.com . This is just how the certs work. Unless you use domain.com in some app explicitly, it won't get certs for that at all.

          S 1 Reply Last reply
          0
          • J joseph

            @shrey there is renewal logs in the top right of the Renew certificates box (the dropdown). In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.

            Also, just to clarify... certificate of *.domain.com are not included in domain.com . This is just how the certs work. Unless you use domain.com in some app explicitly, it won't get certs for that at all.

            S Offline
            S Offline
            shrey
            wrote on last edited by shrey
            #5

            @joseph

            The concerned domain, let's call it "domainX".

            • My cloudron instance is accessed with the url : https://my.domainX
            • There are a whole bunch of apps (*.domainX) in use

            @joseph said in SSL certificate failing:

            In the logs, it will tell you why it wasn't renewed and also the expiry of the certificate.

            There's no mention of a certificate renewal attempt for just "domainX" in those very logs, only for all the apps using it with *.domainX


            The original certificate for domainX was issued by/via Cloudron itself (if i'm not mistaken?), as seen below, so, i'm not sure what you mean here.

            4c7d2553-40eb-4634-9406-20f144fd2696-image.png

            1 Reply Last reply
            0
            • nebulonN Offline
              nebulonN Offline
              nebulon
              Staff
              wrote on last edited by
              #6

              So do you have an app installed on the root domain then? Otherwise if nothing is installed on domain.com but everything else just on subdomains of that, then Cloudron will not even attempt to renew a cert for an unused domain.

              S 1 Reply Last reply
              1
              • nebulonN nebulon

                So do you have an app installed on the root domain then? Otherwise if nothing is installed on domain.com but everything else just on subdomains of that, then Cloudron will not even attempt to renew a cert for an unused domain.

                S Offline
                S Offline
                shrey
                wrote on last edited by
                #7

                @nebulon

                • No, I don't have any app installed on the root domain
                • The root domain points to the Cloudron instance. The certificate is now expired.
                  So, irrespective of the existence of any apps on it, a valid certificate is indeed required for it (which is also why Cloudron issued it one, on the occasion of first install, right?)
                • The well known locations work off the root domain, e.g. the Matrix server (https://domainX/.well-known/matrix/server), and which is now failing in my case (which is what pushed me down this unfortunate rabbit hole)
                1 Reply Last reply
                0
                • nebulonN Offline
                  nebulonN Offline
                  nebulon
                  Staff
                  wrote on last edited by
                  #8

                  Ah ok that explains it then. So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.

                  For the .well-known to work, you need to add an app on the root domain, or set an redirect in one of the apps from the root domain. Then Cloudron will start fetching and renewing certs.

                  I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.

                  The dialog where you configure the well-known for a domain, has a note about this, but it is probably not obvious enough..

                  S 1 Reply Last reply
                  0
                  • nebulonN nebulon

                    Ah ok that explains it then. So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.

                    For the .well-known to work, you need to add an app on the root domain, or set an redirect in one of the apps from the root domain. Then Cloudron will start fetching and renewing certs.

                    I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.

                    The dialog where you configure the well-known for a domain, has a note about this, but it is probably not obvious enough..

                    S Offline
                    S Offline
                    shrey
                    wrote on last edited by shrey
                    #9

                    @nebulon said in SSL certificate failing:

                    So Cloudron only issues certificates for domains which are used by any app. This is also since often Cloudron is used on domains which are not exclusively used by that Cloudron.

                    @nebulon said in SSL certificate failing:

                    I understand this is a bit annoying and maybe unexpected if that domain is exclusively used for that Cloudron, but we can't assume that.

                    See ->

                    263e46b7-3f7e-4e07-8efa-51386aff0ddf-image.png

                    @nebulon What do you mean?

                    The pointing of a domain and all of its subdomains, in this manner, implies precisely this, that the domain is managed exclusively by Cloudron.

                    1 Reply Last reply
                    0
                    • nebulonN Offline
                      nebulonN Offline
                      nebulon
                      Staff
                      wrote on last edited by nebulon
                      #10

                      So wildcard is only for subdomains of a domain. The domain.com record is not covered by wildcard.
                      But yes the instructions probably sound like both *.domain.com and domain.com are in fact managed by Coudron, but all I can tell you that unless an app is using a domain, the certs will not be renewed. Maybe we can be smarter about this in the future, but to solve your problem this is what is required.

                      Note a redirect to an existing app will also work.

                      1 Reply Last reply
                      0
                      • girishG girish has marked this topic as solved on
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • Bookmarks
                      • Search