Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


SSL / TLS error on sub.sub.domain.com



  • Hello,
    I've encountered a problem with one of my apps. Apparently, the SSL / TLS certificate has an error.

    How do I fix this issue?

    Unsupported protocol
    The client and server don't support a common SSL protocol version or cipher suite.
    

    Best regards,
    Jimmi Hansen
    XevoTech


  • Staff

    @XevoTech The issue could either be cert is expired (server issue) or your client does not support the cipher suite that the cert requires (client issue).

    Does the site itself work on the desktop browser? Have you tried another browser? Can you also try clearing the browser cache for the domain and try? The latter is because we did indeed change the cipher suites in the recent Cloudron version to be more secure. Maybe the browser is hanging on to an old cert because of cert pinning. This will rule out server issue.

    To renew the cert, you can also go to Domain -> Renew Certs. Can you see any error in the logs?



  • @girish

    I've tried to use two different browsers as well as their incognito version, and it still doesn't work. And I've cleared my browser data. I do see one error, but it has to do with another domain? Could that be the reason?

    Also, thanks for the fast response.


  • Staff

    @XevoTech Can you see if Domains -> Renew all certs gives any error (you have to check the logs after you click that button to see if it's failing or not)?



  • I think it is erroring, this is what I get from the logs

    2020-05-13T16:23:25.073Z box:tasks 3475: {"percent":105,"message":"Renewing certs of wiki.staff.xevotech.com"}
    2020-05-13T16:23:25.091Z box:reverseproxy ensureCertificate: wiki.staff.xevotech.com certificate already exists at /home/yellowtent/boxdata/certs/_.staff.xevotech.com.key
    2020-05-13T16:23:25.100Z box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.staff.xevotech.com.cert Certificate will not expire 0
    2020-05-13T16:23:25.110Z box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/_.staff.xevotech.com.cert subject=CN = *.staff.xevotech.com domain=*.staff.xevotech.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 wildcard=true/true prod=true/true match=true
    2020-05-13T16:23:25.110Z box:tasks 3475: {"percent":109,"message":"Renewing certs of pass.xevotech.com"}
    2020-05-13T16:23:25.125Z box:reverseproxy ensureCertificate: pass.xevotech.com certificate already exists at /home/yellowtent/boxdata/certs/_.xevotech.com.key
    2020-05-13T16:23:25.140Z box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.xevotech.com.cert Certificate will not expire 0
    2020-05-13T16:23:25.154Z box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/_.xevotech.com.cert subject=CN = *.xevotech.com domain=*.xevotech.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 wildcard=true/true prod=true/true match=true
    2020-05-13T16:23:25.154Z box:reverseproxy renewCerts: Renewed certs of []
    2020-05-13T16:23:25.154Z box:tasks setCompleted - 3475: {"result":null,"error":null}
    2020-05-13T16:23:25.155Z box:tasks 3475: {"percent":100,"result":null,"error":null}
    

  • Staff

    @XevoTech It seems the certs are OK. Can you do systemctl restart nginx on the server? I suspect the certs are valid but nginx has not read the latest certs (for some reason).


  • Staff

    @XevoTech Oh, I just checked the domains and it seems that your sites are fronted by Cloudflare? So, it is some issue with Cloudflare certs and not Cloudron. Can you disable http proxying in Cloudflare and see if it works? If so, then, you have to contact Cloudflare support.



  • @girish I will do both, and then come back to you and say what help and what didn't



  • So, it seems like giving the app a "relocation" by pressing the save button under the Location config tab & a quick Cloudflare proxy off-on, and then some time is the fix.

    EDIT
    So it is Cloudflare that is the problem and not Cloudron. Specifically their proxy