Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Ssl certs untrusted and self signed with dns api

    Support
    certificates namecheap
    5
    9
    419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mastadamus last edited by Mastadamus

      Ssl certificates untrusted.
      I used namecheap app. I have port 80 open .
      I'm getting untrusted in browser and ssl checker says self signed cert. Http to https redirects in header aren't working due to certificate chain .

      Can anyone help me? I've tried renewing. It doesn't change them.

      Here's my log

      06 09:23:28 box:settings initCache: pre-load settings
      Feb 06 09:23:28 box:taskworker Starting task 11. Logs are at /home/yellowtent/platformdata/logs/tasks/11.log
      Feb 06 09:23:28 box:tasks 11: {"percent":2,"error":null}
      Feb 06 09:23:28 box:tasks 11: {"percent":1,"message":"Renewing certs of
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/
      .Certificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/.subject=CN = *. domain=*issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:tasks 11: {"percent":34,"message":"Renewing certs of "}
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: certificate already exists at /home/yellowtent/boxdata/certs/
      ..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/.nCertificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/
      .noctedefensor.com.cert subject=CN = . domain= issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:tasks 11: {"percent":67,"message":"Renewing certs of }
      Feb 06 09:23:28 box:reverseproxy ensureCertificate: m certificate already exists at /home/yellowtent/boxdata/certs/..key
      Feb 06 09:23:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/
      ..cert Certificate will not expire 0
      Feb 06 09:23:28 box:reverseproxy providerMatchesSync: /home/yellowtent/boxdata/certs/_.noctedefensor.com.cert subject=CN = . domain=. issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true
      Feb 06 09:23:28 box:reverseproxy renewCerts: Renewed certs of []
      Feb 06 09:23:28 box:taskworker Task took 0.22 seconds
      Feb 06 09:23:28 box:tasks setCompleted - 11: {"result":null,"error":null}
      Feb 06 09:23:28 box:tasks 11: {"percent":100,"result":null,"error":null}

      1 Reply Last reply Reply Quote 0
      • subven
        subven last edited by

        They all seem fine to me. Maybe it's a local issue so try to use a clean browser. You can also renew all certs at https://my.noctedefensor.com/#/domains 🙂

        M 1 Reply Last reply Reply Quote 0
        • M
          Mastadamus @subven last edited by

          @subven its not an local issue.
          If I go to 3rd party websites like Mozilla observatory it shows self signed. I've tried renewing them and they 'renew' almost immediately but they don't change.

          Here's a link to ssllabs showing its self signed
          https://www.ssllabs.com/ssltest/analyze.html?d=noctedefensor.com

          1 Reply Last reply Reply Quote 0
          • M
            Mastadamus last edited by

            Ssl labs shows my cert for "my.noctedefensor.com " as a+ and no issues
            But the cert for "noctedefensor.com is showing self signed and untrusted.
            So letsencrypt gave me a good wildcard cert that seems to be working for that subdomain BUT not the zone domain name.

            Ideas?

            imc67 1 Reply Last reply Reply Quote 0
            • nebulon
              nebulon Staff last edited by

              Do you have any app installed on the bare domain? Or did you configure the bare domain to be a redirect or an alias to an app? If not, then Cloudron would not manage that explicit domain and thus would not acquire a SSL certificate.

              M 1 Reply Last reply Reply Quote 0
              • imc67
                imc67 translator @Mastadamus last edited by

                @mastadamus I guess because you don’t have any app installed for the root domain?

                1 Reply Last reply Reply Quote 0
                • M
                  Mastadamus @nebulon last edited by

                  @nebulon ok. I'm tracking. So because I didn't install any app on bare domain it just leaves it a self signed cert. Unfortunately, that means https redirect in the header will not function. Doesn't this mean then unless I manually close my port 80 then cloudron won't stop a unsecured connection to say "www.noctedefensor.com "?

                  So would best practices be to install some sort of secure app on base domain to force the letsencrypt cert to be acquired and managed via cloudron?
                  If not, any way I can redirect "mydomain.com" or "www.noctedefensor.com " to https://mydomain.com or https://www.mydomain.com ?

                  1 Reply Last reply Reply Quote 0
                  • M
                    Mastadamus last edited by

                    @nebulon i just saw the "redirect" option in an app. I'm going to try that. Thanks for help.

                    girish 1 Reply Last reply Reply Quote 0
                    • girish
                      girish Staff @Mastadamus last edited by

                      @mastadamus If you use namecheap API, you don't need port 80. This is because Cloudron will use Let's encrypt DNS automation to get certs. Note that this will require you to sometimes type "https://" explicitly in some browsers because some browsers will default to connecting on port 80 and then the redirect will take it to the https site. In addition, Cloudron has HSTS, so future connects will directly be to 443 and no redirect dance.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Powered by NodeBB