Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Email contact on Let's Encrypt SSL/TLS certificates uses Password Recovery email rather than Primary email address

Email contact on Let's Encrypt SSL/TLS certificates uses Password Recovery email rather than Primary email address

Scheduled Pinned Locked Moved Solved Support
certificates
10 Posts 2 Posters 1.5k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotcaD Offline
      d19dotcaD Offline
      d19dotca
      wrote on last edited by girish
      #1

      Hello,

      I just realized the Password Recovery email on my profile is what appears to be used in the email contact on the certificates that Cloudron retrieves from Let's Encrypt. Unfortunately in my case my recovery email is my employer's email rather than my own.

      I suppose I can fix this by changing my password recovery email to match my actual email but it's hosted on Cloudron so if I ever had a password issue I'd lose access.

      This seems like a defect. Can anyone please confirm? Maybe I'm doing something wrong?

      --
      Dustin Dauncey
      www.d19.ca

      1 Reply Last reply
      0
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        @d19dotca Right, we pick the recovery email over the primary email - https://git.cloudron.io/cloudron/box/-/blob/master/src/reverseproxy.js#L82 . I have to think a bit more as to why the code is this way.

        d19dotcaD 1 Reply Last reply
        2
        • girishG girish

          @d19dotca Right, we pick the recovery email over the primary email - https://git.cloudron.io/cloudron/box/-/blob/master/src/reverseproxy.js#L82 . I have to think a bit more as to why the code is this way.

          d19dotcaD Offline
          d19dotcaD Offline
          d19dotca
          wrote on last edited by
          #3

          @girish Ah okay, perfect, yeah I think that should be changed to just the primary email address, or maybe break it out to be it's own option/field in the configuration of Cloudron by an admin user. I guess in the meantime the workaround is for me to change that Password Recovery email address temporarily, delete all certs, renew them so they use the new email, then set the Password recovery email address back again.

          --
          Dustin Dauncey
          www.d19.ca

          1 Reply Last reply
          0
          • girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #4

            @d19dotca Where are you seeing the contact information of a certificate? Atleast, I cannot see it in firefox or chrome when trying to inspect the certificate.

            d19dotcaD 1 Reply Last reply
            0
            • girishG girish

              @d19dotca Where are you seeing the contact information of a certificate? Atleast, I cannot see it in firefox or chrome when trying to inspect the certificate.

              d19dotcaD Offline
              d19dotcaD Offline
              d19dotca
              wrote on last edited by d19dotca
              #5

              @girish I just saw my email provided by my employer used in the logs for contact information. So I suppose the good news is this isn't exposed externally, but it still means any messages from Let's Encrypt will go to my work email and not the email I want it to go to.

              My statement in the original post was incorrect then I just realized as I sort of wrote it in a way that meant the email was exposed on the certificate and it is not actually on the certificate. Updated statement for clarification: The email address used by Cloudron on certificates is not actually on the certificate, in other words it is not external facing information. However, I believe it is used by Let's Encrypt for communication so internally it may not be the right email that's desired for communication with Let's Encrypt.

              --
              Dustin Dauncey
              www.d19.ca

              1 Reply Last reply
              0
              • girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                Ah right. So, Let's Encrypt has a notion of "account". This 'account' has your work email id. AFAIK, they use this email to send renewal notifications (like cert is expiring etc and other API changes) but it's not used in the cert itself.

                d19dotcaD 1 Reply Last reply
                0
                • girishG girish

                  Ah right. So, Let's Encrypt has a notion of "account". This 'account' has your work email id. AFAIK, they use this email to send renewal notifications (like cert is expiring etc and other API changes) but it's not used in the cert itself.

                  d19dotcaD Offline
                  d19dotcaD Offline
                  d19dotca
                  wrote on last edited by d19dotca
                  #7

                  @girish Correct. I updated my comment earlier, I think we published at the same time. haha. That needs to be fixed though still, as it is not expected behaviour. For example, I would not expect Cloudron to use my Password Recovery email address for anything other than recovering my password. It should use the primary email address for everything else.

                  --
                  Dustin Dauncey
                  www.d19.ca

                  1 Reply Last reply
                  0
                  • girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    @d19dotca Ha ha, yes. I think it's safe to fix the code to use the primary email.

                    IIRC, this comes from the fact that back in the day we used to have a 1-1 mapping between primary email and the domain. So a user girish would get primary email automatically as girish@cloudrondomain. In such a case, let's encrypt cannot use this email address until the user has setup MX records. This is because Let's encrypt requires the email address to be a valid address. So, we decided to use the fallback address because that was guaranteed to be a valid one.

                    I guess we don't have this problem today because we don't automatically set primary email to be something hosted on Cloudron.

                    1 Reply Last reply
                    1
                    • girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      OK, I have fixed this for the next release. Thanks for reporting!

                      d19dotcaD 1 Reply Last reply
                      2
                      • girishG girish

                        OK, I have fixed this for the next release. Thanks for reporting!

                        d19dotcaD Offline
                        d19dotcaD Offline
                        d19dotca
                        wrote on last edited by
                        #10

                        @girish I'm always amazed at how quick you guys on these things, thanks for fixing that so soon! 🙂

                        --
                        Dustin Dauncey
                        www.d19.ca

                        1 Reply Last reply
                        1
                        Reply
                        • Reply as topic
                        Log in to reply
                        • Oldest to Newest
                        • Newest to Oldest
                        • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search