API for SSL certificate per domain

I did some reverse engineering - here is the bash, for anyone curious:

DOMAIN="mysuper-domain.com"
TOKEN="bla-bla" #cloudron's token
cd /var/db/acme/certs/*.${DOMAIN}_ecc

CERT=$(awk 'NF {printf "%s\\n", $0}' fullchain.cer)
KEY=$(awk 'NF {printf "%s\\n", $0}' "*.${DOMAIN}.key")

curl -X POST "https://my.${DOMAIN}/api/v1/domains/${DOMAIN}/config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"zoneName\": \"${DOMAIN}\",
    \"provider\": \"manual\",
    \"config\": {},
    \"tlsConfig\": { \"provider\": \"fallback\" },
    \"fallbackCertificate\": { \"cert\": \"${CERT}\", \"key\": \"${KEY}\" }
  }"

verify with openssl s_client -showcerts -connect IP:443 -servername my.${DOMAIN}.net | less

I believe the API is actually there (as I can change the certificate via the Dashboard), but it's not documented? If so - could you possibly share the correct structure, please?

Cloudron currently allows to manage SSL certificates per app, but not per domain - could you please, implement that endpoint as well, please?

As Wildcard domains are now becoming a shorter period of life, manual management is quite troublesome.

or, could you just make it optional?

In my specific case I just commented out the string to let the apps running.

if (manifest.id !== 'com.adguard.home.cloudronapp') containerOptions.HostConfig.ExtraHosts.push(`${dashboardFqdn}:172.18.0.1`);

in docker.js:698 you have the code from below - I understand you are trying to work around the cases, when my.domain.com is defined via /etc/hosts to be something weird.

But why don't you push the public IP address?

In my specific case, Cloudron is behind a kind of WAF and that WAF is taking care on the SSL certificates, so any connections to 172.18.0.1 are just failing due to SSL issues (and Synapse, for example, can't start due to OIDC issue).

And a question/ask: can you change that to the Cloudron IP please? It shouldn't be difficult, as you it as a variable already.

Thanks!!

@inibudi , it is; but I've optimized it down to a single crontab entry:

crontab -l
48 2 * * * /bin/sh -c '[ -f /var/run/reboot-required ] && sudo shutdown -r now'

I do have a subscription. Just yesterday I've figured out the problem is with HTTP 2 protocol that is failing on the hand-over; disabling it on the proxy and leaving with HTTP 1.1 works just fine, as the protocol do the fallback from H2 to WebSocket over HTTP 1.1, which works just fine.

you should have mentioned earlier

@james I wish I was aware that it is the problem!

The whole cloudron is behind a haproxy that does TCP level proxy. From my understanding it should not affect, as it's one level below the HTTP(S) and WebSocket is above HTTPS.

And the console doesn't seem to work for all apps terminals.

Any ideas how to narrow down the root cause?

@nebulon thank you. And yes - I understand why the work-around required. If you don't mind sharing the source code to read the logic exactly?

I've been wondering on the best way to achieve that, but never seen any good practical approach - would love to see how you are approaching that, without a container shutdown, if you don't mind sharing of course.

If that's too complicated - never mind and please, feel free to close the issue - the question now is purely to satisfy my curiosity.

Thank you, that fixed the issue.
There been no logs in the container.

Any ideas what is the nature of the sqlite container for uptime kuma? I've been under impression that sqlite requires no server side...

Hello, @james . Thanks!

For anyone wondering of the same - the best way is the following commands - from any other computer, then the server.

npx cloudron login my.precious.com
npx cloudron list
npx cloudron exec --app $id--tty

(no need to install anything globally)

Nothing at the box.log, I'm getting the following error from the cli:

npx cloudron exec --app e085a31f-7f7f-40ff-ae95-056766d2781d --tty
Could not upgrade connection to tcp. http status: 502

And here is the nginx log entries:

IP - - [21/Jan/2026:14:18:03 +0000] "GET /api/v1/apps/e085a31f-7f7f-40ff-ae95-056766d2781d HTTP/2.0" 200 7965 "-" "-"
IP - - [21/Jan/2026:14:18:03 +0000] "POST /api/v1/apps/e085a31f-7f7f-40ff-ae95-056766d2781d/exec HTTP/2.0" 200 78 "-" "-"

The Cloudron is behind a proxy, but I can't see any WebSocket related restrictions.

@nebulon there seems to be none of the dead ones:

ubuntu@cloudron:~$ sudo docker ps -a | grep sqlite | wc -l
1
ubuntu@cloudron:~$ sudo docker ps -a | grep sqlite
bbb52ef9e686   cloudron/louislam.uptimekuma.app:202511081423470000       "sqlite3 /app/data/d…"   2 weeks ago   Created                                                                                                                                                                sqlite-be0be218-57bf-427b-abb6-b7660943eaf6

There are not that much non-running containers - only 2 nextcloud workers with exit(0) and another service, that I have stopped explicitely.

@nebulon will do, thanks.

Could you please, tell me - what cloudron exec does? Never used it - only using WebUI and ssh command lines on the server, in those rare cases, when got to check something.

and that is happening not only for NextCloud actually, I just didn't notice!

@nebulon I do:

terminal-c5ikyfn6.js:6307 WebSocket connection to 'wss://my.server.com/api/v1/apps/e075a2fe-7f7f-40ff-ae12-056766d2780d/exec/d7f60f4a9d5d72e7ced6aaf3d0f035fbe98c397f37690fe99ddcba72b0539d97/startws?tty=true&rows=25&columns=183&access_token=a8uNp2OOgZpy_00xcyYa3gKGGAb8SQGO0B6-Tydok3k' failed: 
connect @ terminal-c5ikyfn6.js:6307
terminal-c5ikyfn6.js:6322 Socket error. Reconnecting... Event {isTrusted: true, type: 'error', target: WebSocket, currentTarget: WebSocket, eventPhase: 2, …}
terminal-c5ikyfn6.js:6317 Socket closed. Reconnecting...

Yep - it does.
Stop & start didn't help, unfortunately.

Hey, James. Quite a while ago. Don't you want to figure out the root cause?
I can and certainly will reboot the server one day.

@james said in Backup is failing for UpTime Kuma on 9.0.15:

How many hosts do you monitor with Uptime Kuma?

not much - like 20 max; UpTime Kuma on itself works just fine.

@james said in Backup is failing for UpTime Kuma on 9.0.15:

Or do you mean this setting is getting overwritten again and again?

yeah - I always have my settings setup in a way, that I would be getting an e-mail for the threads I'm participating and from time to time I'm finding myself not getting those updates - going to check the settings and they are again in 'Notification only'.

It's sporadic, but I'm quite sure I didn't change them manually (too lazy / busy for that - I don't even remember where they are in the profile).