-
Actually you could use for example DigitalOcean DNS api only. It is free. You can keep your domain registrar and just set the nameservers from DigitalOcean there.
Being able to use LetsEncrypt certificates will surely spare you lots of side-effects and time.
-
@nebulon I will look into this and try to get this implemented, hopefully today, assuming that they handle all of our use cases.
Currently domains.google will redirect all requests from a domain that is an alias we have of another domain to the other domain both accross http and https and will preserving the path and query string parameters.
So a request for
https://www.mainalias.com/somepath?some=value
is redirected tohttps://www.main.com/somepath?some=value
which requires domains.google to get a free https certificate issued for mainaliasl.com, to run a webserver that has the ability to receive http requests, and then to set that webserver up to do the redirects, and they do this for free as a part of them being the registrar for that domain.As I write this I realize that maybe I just leave the dns servers as domains.google's dns servers for those domains and only change the name servers for the domain being used for our cloudron instance.
Thank you for helping me work through this and I will report back once I have gotten this setup with a test domain.
-
@girish @nebulon Thank you so much, I now have our domain registrar as domains.google but the authoritative name servers for our base domain and the subdomain we use to host cloudron as digital ocean and we now are able to use let's encrypt certs and login to wekan again!
The biggest trip up was the fact that domains.google defaults to returning its authoritative name servers for every subdomain of a domain it is hosting but digital ocean didn't so I needed to create name server records in the root domain configured in digital ocean that pointed back to digital ocean's name servers again before the subdomain which was also on digital ocean started working properly.
I did have to restart cloudron, sync dns, and renew all certs several times each as I worked through changing things and trying to get those changes to propagate, it at minimum took a reboot before the system stopped using the wildcard cert we had configured previously and started actually using the let's encrypt wildcard even though I had done multiple sync dns and renewa all certs before that.
This is a much better setup than before and it looks like it isn't going to cost anything more than what we were paying before, definitely a great solution and will hopefully stop us from hitting these weird issues with apps having trouble because they don't trust secure connections between each other.
Thank you both so much for helping me work through this!
-
@ChristopherMag yes, having valid certs is the best way forward. Certs are also used in various non-HTTP protocols (irc, jabber, DoT, DoH etc) and most mobile apps will pretty much refuse to connect without valid certs. You are just fighting a battle which you will lose eventually. If not now, in the next update of the app.
Cloudron has support for self signed certs, but Cloudron started even before Let's Encrypt was a reality . These days all that code is just legacy. There is really no reason to use self signed certs for most purposes.
-
N nebulon marked this topic as a question on
-
N nebulon has marked this topic as solved on