Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Ssl certs untrusted and self signed with dns api

Ssl certs untrusted and self signed with dns api

Scheduled Pinned Locked Moved Support
certificatesnamecheap
9 Posts 5 Posters 1.4k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      M Offline
      Mastadamus
      wrote on last edited by Mastadamus
      #1

      Ssl certificates untrusted.
      I used namecheap app. I have port 80 open .
      I'm getting untrusted in browser and ssl checker says self signed cert. Http to https redirects in header aren't working due to certificate chain .

      Can anyone help me? I've tried renewing. It doesn't change them.

      Here's my log

      06 09:23:28 box:settings initCache: pre-load settings
      Feb 06 09:23:28 box:taskworker Starting task 11. Logs are at /home/yellowtent/platformdata/logs/tasks/11.log
      Feb 06 09:23:28 box:tasks 11: {"percent":2,"error":null}
      Feb 06 09:23:28 box:tasks 11: {"percent":1,"message":"Renewing certs of
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/
      .Certificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/.subject=CN = *. domain=*issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:tasks 11: {"percent":34,"message":"Renewing certs of "}
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/
      ..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/.nCertificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/
      .noctedefensor.com.cert subject=CN = . domain= issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:tasks 11: {"percent":67,"message":"Renewing certs of }
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: m certificate already exists at /home/yellowtent/boxdata/certs/..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/
      ..cert Certificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/_.noctedefensor.com.cert subject=CN = . domain=. issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:reverseproxy renewCerts: Renewed certs of []
      Feb 06 09:23:28 box:taskworker Task took 0.22 seconds
      Feb 06 09:23:28 box:tasks setCompleted - 11: {"result":null,"error":null}
      Feb 06 09:23:28 box:tasks 11: {"percent":100,"result":null,"error":null}

      1 Reply Last reply
      0
      • subvenS Offline
        subvenS Offline
        subven
        wrote on last edited by
        #2

        They all seem fine to me. Maybe it's a local issue so try to use a clean browser. You can also renew all certs at https://my.noctedefensor.com/#/domains πŸ™‚

        M 1 Reply Last reply
        0
        • subvenS subven

          They all seem fine to me. Maybe it's a local issue so try to use a clean browser. You can also renew all certs at https://my.noctedefensor.com/#/domains πŸ™‚

          M Offline
          M Offline
          Mastadamus
          wrote on last edited by
          #3

          @subven its not an local issue.
          If I go to 3rd party websites like Mozilla observatory it shows self signed. I've tried renewing them and they 'renew' almost immediately but they don't change.

          Here's a link to ssllabs showing its self signed
          https://www.ssllabs.com/ssltest/analyze.html?d=noctedefensor.com

          1 Reply Last reply
          0
          • M Offline
            M Offline
            Mastadamus
            wrote on last edited by
            #4

            Ssl labs shows my cert for "my.noctedefensor.com " as a+ and no issues
            But the cert for "noctedefensor.com is showing self signed and untrusted.
            So letsencrypt gave me a good wildcard cert that seems to be working for that subdomain BUT not the zone domain name.

            Ideas?

            imc67I 1 Reply Last reply
            0
            • nebulonN Offline
              nebulonN Offline
              nebulon
              Staff
              wrote on last edited by
              #5

              Do you have any app installed on the bare domain? Or did you configure the bare domain to be a redirect or an alias to an app? If not, then Cloudron would not manage that explicit domain and thus would not acquire a SSL certificate.

              M 1 Reply Last reply
              0
              • M Mastadamus

                Ssl labs shows my cert for "my.noctedefensor.com " as a+ and no issues
                But the cert for "noctedefensor.com is showing self signed and untrusted.
                So letsencrypt gave me a good wildcard cert that seems to be working for that subdomain BUT not the zone domain name.

                Ideas?

                imc67I Offline
                imc67I Offline
                imc67
                translator
                wrote on last edited by
                #6

                @mastadamus I guess because you don’t have any app installed for the root domain?

                1 Reply Last reply
                0
                • nebulonN nebulon

                  Do you have any app installed on the bare domain? Or did you configure the bare domain to be a redirect or an alias to an app? If not, then Cloudron would not manage that explicit domain and thus would not acquire a SSL certificate.

                  M Offline
                  M Offline
                  Mastadamus
                  wrote on last edited by
                  #7

                  @nebulon ok. I'm tracking. So because I didn't install any app on bare domain it just leaves it a self signed cert. Unfortunately, that means https redirect in the header will not function. Doesn't this mean then unless I manually close my port 80 then cloudron won't stop a unsecured connection to say "www.noctedefensor.com "?

                  So would best practices be to install some sort of secure app on base domain to force the letsencrypt cert to be acquired and managed via cloudron?
                  If not, any way I can redirect "mydomain.com" or "www.noctedefensor.com " to https://mydomain.com or https://www.mydomain.com ?

                  1 Reply Last reply
                  0
                  • M Offline
                    M Offline
                    Mastadamus
                    wrote on last edited by
                    #8

                    @nebulon i just saw the "redirect" option in an app. I'm going to try that. Thanks for help.

                    girishG 1 Reply Last reply
                    0
                    • M Mastadamus

                      @nebulon i just saw the "redirect" option in an app. I'm going to try that. Thanks for help.

                      girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      @mastadamus If you use namecheap API, you don't need port 80. This is because Cloudron will use Let's encrypt DNS automation to get certs. Note that this will require you to sometimes type "https://" explicitly in some browsers because some browsers will default to connecting on port 80 and then the redirect will take it to the https site. In addition, Cloudron has HSTS, so future connects will directly be to 443 and no redirect dance.

                      1 Reply Last reply
                      0
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                        • Login

                        • Don't have an account? Register

                        • Login or register to search.
                        • First post
                          Last post
                        0
                        • Categories
                        • Recent
                        • Tags
                        • Popular
                        • Bookmarks
                        • Search