Certificate expiry problems (perhaps related to DNS migration)
-
So as I discussed a while ago, I did a DNS migration (https://forum.cloudron.io/topic/7429/how-to-do-a-smooth-dns-migration/2) from a manually updated wildcard, to Hetzner. For the most part, this has gone smoothly, but I seem to be running into a corner case with Lets Encrypt certificates. I've started getting upcoming expiry warnings for a bunch of domains now. I tried to force renewal, which gave me the following logs (for each service on subdomain.example.com)...
Aug 15 12:01:04 box:tasks update 6255: {"percent":76,"message":"Ensuring certs of xxx.subdomain.example.com"} Aug 15 12:01:04 box:reverseproxy ensureCertificate: xxx.subdomain.example.com certificate already exists at /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.key Aug 15 12:01:04 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.cert notAfter=Oct 26 11:00:56 2022 GMT daysLeft=72.04156950231481 Aug 15 12:01:04 box:reverseproxy providerMatchesSync: /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.cert subject=CN = *.subdomain.example.com domain=*.subdomain.example.com issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=trueThis looks okay, in theory, but then at the end I see the following:
Aug 15 12:01:04 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/xxx.subdomain.example.com.cert notAfter=Sep 3 11:00:56 2022 GMT daysLeft=19.041567395833333And the daysLeft here seems to match up with the mail warnings I'm getting...
So they don't seem to be renewing properly... Is there something I can do to force a renewal? And is this some kind of a bug/unhandled edge case in Cloudron, perhaps caused by the DNS provider switch?
-
So as I discussed a while ago, I did a DNS migration (https://forum.cloudron.io/topic/7429/how-to-do-a-smooth-dns-migration/2) from a manually updated wildcard, to Hetzner. For the most part, this has gone smoothly, but I seem to be running into a corner case with Lets Encrypt certificates. I've started getting upcoming expiry warnings for a bunch of domains now. I tried to force renewal, which gave me the following logs (for each service on subdomain.example.com)...
Aug 15 12:01:04 box:tasks update 6255: {"percent":76,"message":"Ensuring certs of xxx.subdomain.example.com"} Aug 15 12:01:04 box:reverseproxy ensureCertificate: xxx.subdomain.example.com certificate already exists at /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.key Aug 15 12:01:04 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.cert notAfter=Oct 26 11:00:56 2022 GMT daysLeft=72.04156950231481 Aug 15 12:01:04 box:reverseproxy providerMatchesSync: /home/yellowtent/platformdata/nginx/cert/_.subdomain.example.com.cert subject=CN = *.subdomain.example.com domain=*.subdomain.example.com issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=trueThis looks okay, in theory, but then at the end I see the following:
Aug 15 12:01:04 box:reverseproxy expiryDate: /home/yellowtent/platformdata/nginx/cert/xxx.subdomain.example.com.cert notAfter=Sep 3 11:00:56 2022 GMT daysLeft=19.041567395833333And the daysLeft here seems to match up with the mail warnings I'm getting...
So they don't seem to be renewing properly... Is there something I can do to force a renewal? And is this some kind of a bug/unhandled edge case in Cloudron, perhaps caused by the DNS provider switch?
@Robin There seems to be two certs . The one with
_is the wildcard cert. The one withxxxis the single domain cert. I guess this can happen when you switch the DNS provider to programmatic to manual/wildcard or vice-versa.Currently, are you using programmatic DNS or manual/wildcard ? If you go to the Location view of the app and click on Save, it should use the certificate of the latest configuration.
-
G girish marked this topic as a question on
-
@Robin There seems to be two certs . The one with
_is the wildcard cert. The one withxxxis the single domain cert. I guess this can happen when you switch the DNS provider to programmatic to manual/wildcard or vice-versa.Currently, are you using programmatic DNS or manual/wildcard ? If you go to the Location view of the app and click on Save, it should use the certificate of the latest configuration.
-
@girish I switched from wildcard over to programmatic (via Hetzner). I didn't update individual apps after that change, but I guess I can try that and see what happens...
-
@Robin Should ideally not have to do this individually. Renew certs should do this in the background, but clearly isn't...
-
@Robin There seems to be two certs . The one with
_is the wildcard cert. The one withxxxis the single domain cert. I guess this can happen when you switch the DNS provider to programmatic to manual/wildcard or vice-versa.Currently, are you using programmatic DNS or manual/wildcard ? If you go to the Location view of the app and click on Save, it should use the certificate of the latest configuration.
@girish said in Certificate expiry problems (perhaps related to DNS migration):
If you go to the Location view of the app and click on Save, it should use the certificate of the latest configuration.
Is it possible to have this note mentioned in the docs and somewhere on the "Domains & Certs" page?
Thanks! -
@girish Hmm, one remaining problem... What do I do about my dashboard, which is also affected by the same problem? Would changing its location temporarily (and then switching back) fix it?
-
So, I still got more cert warnings despite moving the app locations around, and removing the dashboard config, so I decided to try be a bit more brutal about it. I removed the wildcard cert:
rm /home/yellowtent/platformdata/nginx/cert/_.xxx.*Restarted box, and everything seemed OK. Then I triggered
Renew All Certsagain, and ... ended up with a new wildcard cert! That doesn't make sense to me... Is there something I can look at that would explain why it wanted to create that? Or some proper way I can nuke the DNS configuration from orbit so it ends up sensible again? -
So, I still got more cert warnings despite moving the app locations around, and removing the dashboard config, so I decided to try be a bit more brutal about it. I removed the wildcard cert:
rm /home/yellowtent/platformdata/nginx/cert/_.xxx.*Restarted box, and everything seemed OK. Then I triggered
Renew All Certsagain, and ... ended up with a new wildcard cert! That doesn't make sense to me... Is there something I can look at that would explain why it wanted to create that? Or some proper way I can nuke the DNS configuration from orbit so it ends up sensible again?
