Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Domain cleanup lacking, by design?

    Support
    certificates letsencrypt
    3
    11
    427
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Shai
      Shai last edited by girish

      Yesterday I was having trouble with a cert. It turns out the underlying problem may have been Let's Encrypt being down for some time. Which is probably a pretty rare event.

      In my troubleshooting attempts I tried switching to a staging cert. It was after I made that switch that Let's Encrypt seemed to come back on line. And so I got a staging cert. Which was of no help since the site was actually a production site and the browser warnings are ominous.

      The log message when I clicked "Renew all certs" was that no cert was issued because one already existed. I had already edited the domain and chosen "wildcard prod" but that didn't make a difference.

      In fact, deleting the domain from from my.example.com/#/domains and re-adding (also with Wildcard prod) did nothing.

      Then I ssh-ed into the Ubuntu 20.04 server Cloudron runs on and went to: /home/yellowtent/boxdata/certs

      and I

      sudo rm exampleapp.com*
      sudo rm _.exampleapp.com*
      

      I went back to my.example.com/#/domains and clicked "Renew all certs" and all was good.

      While I was in /home/yellowtent/boxdata/certs I noticed that any domain that I had previously deleted still had certs there.

      Is this by design? If so, why?

      Also, how is one supposed to replace a staging cert with prod one?

      girish 1 Reply Last reply Reply Quote 1
      • girish
        girish Staff @Shai last edited by

        @shai yes, old certs are not removed intentionally. This is because LE has rate limits for getting certs. So, if you say uninstall an app "test.exampleapp.com" and install again, we don't delete the certs at uninstall time and re-use certs from the previous install.

        d19dotca 1 Reply Last reply Reply Quote 0
        • d19dotca
          d19dotca @girish last edited by

          @girish It might be good to have a prompt when deleting a domain if a user wants to delete the related certs too (much like how we changed the email deletion prompt to also ask whether to keep the contents on disk or delete the contents from disk). Or just behind-the-scenes delete the certs after a short period of time (a few days?) for a removed domain. Keeps things clean.

          --
          Dustin Dauncey
          www.d19.ca

          girish 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @d19dotca last edited by

            @d19dotca mm, possibly. We then have to explain cert rate limits etc. I will keep this open in case it comes up again but for now one can just delete those fails and Cloudron will simply get a new cert.

            Shai 1 Reply Last reply Reply Quote 0
            • Shai
              Shai @girish last edited by

              @girish is there any way to delete unwanted certs via the my.example.com Cloudron dashboard? Or is it the case that ssh'ing into the server and deleting them at /home/yellowtent/boxdata/certs is the only way?

              Also, I suggest that the Cloudron cert documentation explicitly mention that switching to a prod cert from staging requires that the staging certs be deleted.

              d19dotca girish 2 Replies Last reply Reply Quote 0
              • d19dotca
                d19dotca @Shai last edited by

                @shai You'd need to SSH to it to delete the certs.

                --
                Dustin Dauncey
                www.d19.ca

                1 Reply Last reply Reply Quote 2
                • girish
                  girish Staff @Shai last edited by

                  @shai said in Domain cleanup lacking, by design?:

                  Also, I suggest that the Cloudron cert documentation explicitly mention that switching to a prod cert from staging requires that the staging certs be deleted.

                  This seems like a bug. We actually have code to do this automatically - https://git.cloudron.io/cloudron/box/-/blob/master/src/reverseproxy.js#L122 . Let me see why it fails.

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff last edited by

                    I have verified this works now. There are lots of cert related changes in the master branch, so it probably got fixed magically.

                    d19dotca 1 Reply Last reply Reply Quote 0
                    • d19dotca
                      d19dotca @girish last edited by

                      @girish I was looking through the list of certs on my server, and found many certs that haven't been used for at least a 4 - 9 months. This is likely more applicable when using individual certs per app hostname as opposed to wildcard certs, but I would suggest it makes sense to automatically cleanup certs from the file system at least after 3 months when they expire. What good is a Let's Encrypt cert that's 6 months old (expired 3 months ago), for example?

                      --
                      Dustin Dauncey
                      www.d19.ca

                      girish 2 Replies Last reply Reply Quote 0
                      • girish
                        girish Staff @d19dotca last edited by

                        @d19dotca sounds like a good idea, i made a task - https://git.cloudron.io/cloudron/box/-/issues/783

                        1 Reply Last reply Reply Quote 1
                        • girish
                          girish Staff @d19dotca last edited by

                          @d19dotca I fixed this now. It cleans up certs which expired 6 months ago.

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Powered by NodeBB