Ssl certs untrusted and self signed with dns api

Mastadamus

Ssl certificates untrusted.
I used namecheap app. I have port 80 open .
I'm getting untrusted in browser and ssl checker says self signed cert. Http to https redirects in header aren't working due to certificate chain .

Can anyone help me? I've tried renewing. It doesn't change them.

Here's my log

06 09:23:28 box:settings initCache: pre-load settings
Feb 06 09:23:28 box:taskworker Starting task 11. Logs are at /home/yellowtent/platformdata/logs/tasks/11.log
Feb 06 09:23:28 box:tasks 11: {"percent":2,"error":null}
Feb 06 09:23:28 box:tasks 11: {"percent":1,"message":"Renewing certs of
Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/..key
Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/.Certificate will not expire 0
Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/.subject=CN = *. domain=*issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Feb 06 09:23:28 box:tasks 11: {"percent":34,"message":"Renewing certs of "}
Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/..key
Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/.nCertificate will not expire 0
Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/.noctedefensor.com.cert subject=CN = . domain= issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Feb 06 09:23:28 box:tasks 11: {"percent":67,"message":"Renewing certs of }
Feb 06 09:23:28 box:reverseproxy ensureCertificate: m certificate already exists at /home/yellowtent/boxdata/certs/..key
Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/..cert Certificate will not expire 0
Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/_.noctedefensor.com.cert subject=CN = . domain=. issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Feb 06 09:23:28 box:reverseproxy renewCerts: Renewed certs of []
Feb 06 09:23:28 box:taskworker Task took 0.22 seconds
Feb 06 09:23:28 box:tasks setCompleted - 11: {"result":null,"error":null}
Feb 06 09:23:28 box:tasks 11: {"percent":100,"result":null,"error":null}

subven

They all seem fine to me. Maybe it's a local issue so try to use a clean browser. You can also renew all certs at https://my.noctedefensor.com/#/domains

Mastadamus

@subven its not an local issue.
If I go to 3rd party websites like Mozilla observatory it shows self signed. I've tried renewing them and they 'renew' almost immediately but they don't change.

Here's a link to ssllabs showing its self signed
https://www.ssllabs.com/ssltest/analyze.html?d=noctedefensor.com

Mastadamus

Ssl labs shows my cert for "my.noctedefensor.com " as a+ and no issues
But the cert for "noctedefensor.com is showing self signed and untrusted.
So letsencrypt gave me a good wildcard cert that seems to be working for that subdomain BUT not the zone domain name.

Ideas?

nebulon

Do you have any app installed on the bare domain? Or did you configure the bare domain to be a redirect or an alias to an app? If not, then Cloudron would not manage that explicit domain and thus would not acquire a SSL certificate.

imc67

@mastadamus I guess because you don’t have any app installed for the root domain?

Mastadamus

@nebulon ok. I'm tracking. So because I didn't install any app on bare domain it just leaves it a self signed cert. Unfortunately, that means https redirect in the header will not function. Doesn't this mean then unless I manually close my port 80 then cloudron won't stop a unsecured connection to say "www.noctedefensor.com "?

So would best practices be to install some sort of secure app on base domain to force the letsencrypt cert to be acquired and managed via cloudron?
If not, any way I can redirect "mydomain.com" or "www.noctedefensor.com " to https://mydomain.com or https://www.mydomain.com ?

Mastadamus

@nebulon i just saw the "redirect" option in an app. I'm going to try that. Thanks for help.

girish

@mastadamus If you use namecheap API, you don't need port 80. This is because Cloudron will use Let's encrypt DNS automation to get certs. Note that this will require you to sometimes type "https://" explicitly in some browsers because some browsers will default to connecting on port 80 and then the redirect will take it to the https site. In addition, Cloudron has HSTS, so future connects will directly be to 443 and no redirect dance.