Own SSL Certificate is not Valid
-
Hi,
I am uploading a renewed certificate but I am facing the same problem as this post https://forum.cloudron.io/topic/9278/own-certificate-upload-problem which after uploading the ssl certificate files cloudron complains of "Certificate is not valid for this domain. Expecting test.domain.com".
How do I solve this?
Thank you
Henry -
Hi,
do I ssh into cloudron to issue that command? If yes, what is the location of the cert_file? I searched through cloudron dashboard does not have terminal access, and I 'find -type f -iname *.crt' but don't see the certificate uploaded.
@gnulab you can run that locally on your laptop (I think it's also available on OS X). Alternately, you can upload the crt file to your server and run the command there. When you upload a cert, that is the command that Cloudron runs to validate the cert.
-
J joseph marked this topic as a question on
-
Hi,
do I ssh into cloudron to issue that command? If yes, what is the location of the cert_file? I searched through cloudron dashboard does not have terminal access, and I 'find -type f -iname *.crt' but don't see the certificate uploaded.
@gnulab you can run that locally on your laptop (I think it's also available on OS X). Alternately, you can upload the crt file to your server and run the command there. When you upload a cert, that is the command that Cloudron runs to validate the cert.
-
@gnulab you can run that locally on your laptop (I think it's also available on OS X). Alternately, you can upload the crt file to your server and run the command there. When you upload a cert, that is the command that Cloudron runs to validate the cert.
-
G gnulab has marked this topic as solved on
-
Can you check
cat cert_file | openssl x509 -noout -checkhost test.yourdomain.com? It should say "does match certificate" .@joseph have the very same problem here.
openssl x509 -noout -in STAR.domain.com.crt -checkhost test.domain.comworks on pure (aka 'leaf') CRT file, but fails on a bundle (cat STAR.*.crt STAR.*.ca-bundle > ssl-complete-bundle.crt) - with an intermediate certificate build-in.And if I upload that pure / leaf certificate, then all apps that are not browsers fails with
unable to verify the first certificatekind of error (that particular is from UpTime Kuma) - as an intermediate certificate is missing.So, I would say that own wildcard certificate functionality is quite broken as of now on Cloudron.
-
@joseph have the very same problem here.
openssl x509 -noout -in STAR.domain.com.crt -checkhost test.domain.comworks on pure (aka 'leaf') CRT file, but fails on a bundle (cat STAR.*.crt STAR.*.ca-bundle > ssl-complete-bundle.crt) - with an intermediate certificate build-in.And if I upload that pure / leaf certificate, then all apps that are not browsers fails with
unable to verify the first certificatekind of error (that particular is from UpTime Kuma) - as an intermediate certificate is missing.So, I would say that own wildcard certificate functionality is quite broken as of now on Cloudron.
Apologies and correction.
Cloudron's functionality works just as intended. The problem is in docs in major sites and hence chatGPT as well (which I used to troubleshoot that).
All of the docs, except for NameCheap (thanks, guys!) says that the correct way to combine crt files - is just do
cat .. > final.crtwhich lead to one problem:-----END CERTIFICATE----------BEGIN CERTIFICATE-----On the line 37, which, absolutely reasonably, brakes any SSL parser.
Correct way to join CRT files is:
cat STAR.*.crt > ssl-complete-bundle.crt && echo >> ssl-complete-bundle.crt && cat STAR.*.ca-bundle >> ssl-complete-bundle.crtAnd you can check if it is valid than with
openssl x509 -noout -in ssl-complete-bundle.crt -checkhost test.`basename STAR.*.crt | sed -E 's/^STAR\.([^.]+(\.[^.]+)?)\.crt$/\1/'`Guess, it might make sense to document it.
