Certiticate renewal issue
-
@girish Digital Ocean. Let's Encrypt won't renew. The Expired Certificate warning in the browser says "You cannot visit this website right now because the website uses HSTS."
-
@Recliner2042 Port forwarding is not needed for Digital Ocean setups. It should work automatically. I suspect the issue here is something else.
For a start, you can simply use another browser. Follow this tutorial https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/ to clear the HSTS for your domain. After that, accept (any) selfsigned certificate and login. After login, Domains -> Renew All Certs. Can you check the logs of the certificate renewal to see what is going wrong?
-
This post is deleted!
-
@girish I have these notifications in cloudron:
Email is not configured properly 17 hours ago
Rebbot Required 17 hours ago
Reboot Required Yesterday
The mysql service ran out of memory 6 days agoAfter clicking Renew All Certs and checking the logs, there is this error:
box:reverseproxy ensureCertificate: error: DigitalOcean DNS error 401 {"id":"Unauthorized","message":"Unable to authenticate you"} -
@Recliner2042 I eventually discovered a problem with my transparent proxy running in front of cloudron. It passed some traffic, blocked others, and the HSTS cache probably didn't help.
The other trick is to try incognito mode on chrome if you have HSTS headaches. That seemed to help me.
Sean
-
G girish marked this topic as a question on
-
@Recliner2042 The Digital Ocean key for your domain is not working anymore. Go to Domains -> Select the domain and click Save. You will see an error since the API key is not valid. Maybe you revoked it?
As for the notifications, it seems reboot is required (after security updates). And maybe give the MySQL service more memory (Services -> MySQL -> bump memory limit). These are not the reasons for the cert failure though.
-
@girish Are you saying that I need to create a Digital Ocean API Token and set its expiration to Never, in order for Cloudron to use Let's Encrypt?
-
@Recliner2042 yes. Let's Encrypt certificates are renewed via DNS automation. So, Cloudron needs access to the DNS to get a cert. Without it, it cannot get a cert.
You can also put some specific expiration time for the token. Just remember to refresh it in Cloudron right before the expiration period with another token manually.
BTW, when using DNS to get certs, you don't need port 80.
-
@girish Does Cloudron need a read and write token, or just a read token, to access DNS?
-
@Recliner2042 It needs to write to DNS . You can read more at https://letsencrypt.org/docs/challenge-types/ (dns-01).
-
R Recliner2042 has marked this topic as solved on