Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Email contact on Let's Encrypt SSL/TLS certificates uses Password Recovery email rather than Primary email address

    Support
    certificates
    2
    10
    289
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotca
      d19dotca last edited by girish

      Hello,

      I just realized the Password Recovery email on my profile is what appears to be used in the email contact on the certificates that Cloudron retrieves from Let's Encrypt. Unfortunately in my case my recovery email is my employer's email rather than my own.

      I suppose I can fix this by changing my password recovery email to match my actual email but it's hosted on Cloudron so if I ever had a password issue I'd lose access.

      This seems like a defect. Can anyone please confirm? Maybe I'm doing something wrong?

      --
      Dustin Dauncey
      www.d19.ca

      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        @d19dotca Right, we pick the recovery email over the primary email - https://git.cloudron.io/cloudron/box/-/blob/master/src/reverseproxy.js#L82 . I have to think a bit more as to why the code is this way.

        d19dotca 1 Reply Last reply Reply Quote 2
        • d19dotca
          d19dotca @girish last edited by

          @girish Ah okay, perfect, yeah I think that should be changed to just the primary email address, or maybe break it out to be it's own option/field in the configuration of Cloudron by an admin user. I guess in the meantime the workaround is for me to change that Password Recovery email address temporarily, delete all certs, renew them so they use the new email, then set the Password recovery email address back again.

          --
          Dustin Dauncey
          www.d19.ca

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            @d19dotca Where are you seeing the contact information of a certificate? Atleast, I cannot see it in firefox or chrome when trying to inspect the certificate.

            d19dotca 1 Reply Last reply Reply Quote 0
            • d19dotca
              d19dotca @girish last edited by d19dotca

              @girish I just saw my email provided by my employer used in the logs for contact information. So I suppose the good news is this isn't exposed externally, but it still means any messages from Let's Encrypt will go to my work email and not the email I want it to go to.

              My statement in the original post was incorrect then I just realized as I sort of wrote it in a way that meant the email was exposed on the certificate and it is not actually on the certificate. Updated statement for clarification: The email address used by Cloudron on certificates is not actually on the certificate, in other words it is not external facing information. However, I believe it is used by Let's Encrypt for communication so internally it may not be the right email that's desired for communication with Let's Encrypt.

              --
              Dustin Dauncey
              www.d19.ca

              1 Reply Last reply Reply Quote 0
              • girish
                girish Staff last edited by

                Ah right. So, Let's Encrypt has a notion of "account". This 'account' has your work email id. AFAIK, they use this email to send renewal notifications (like cert is expiring etc and other API changes) but it's not used in the cert itself.

                d19dotca 1 Reply Last reply Reply Quote 0
                • d19dotca
                  d19dotca @girish last edited by d19dotca

                  @girish Correct. I updated my comment earlier, I think we published at the same time. haha. That needs to be fixed though still, as it is not expected behaviour. For example, I would not expect Cloudron to use my Password Recovery email address for anything other than recovering my password. It should use the primary email address for everything else.

                  --
                  Dustin Dauncey
                  www.d19.ca

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff last edited by

                    @d19dotca Ha ha, yes. I think it's safe to fix the code to use the primary email.

                    IIRC, this comes from the fact that back in the day we used to have a 1-1 mapping between primary email and the domain. So a user girish would get primary email automatically as girish@cloudrondomain. In such a case, let's encrypt cannot use this email address until the user has setup MX records. This is because Let's encrypt requires the email address to be a valid address. So, we decided to use the fallback address because that was guaranteed to be a valid one.

                    I guess we don't have this problem today because we don't automatically set primary email to be something hosted on Cloudron.

                    1 Reply Last reply Reply Quote 1
                    • girish
                      girish Staff last edited by

                      OK, I have fixed this for the next release. Thanks for reporting!

                      d19dotca 1 Reply Last reply Reply Quote 2
                      • d19dotca
                        d19dotca @girish last edited by

                        @girish I'm always amazed at how quick you guys on these things, thanks for fixing that so soon! 🙂

                        --
                        Dustin Dauncey
                        www.d19.ca

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Powered by NodeBB