Wildcard Alias added, but no https

I see, I think. I'll try to work the API example into the start.sh script that runs when the app is started.

@robi

That's the Cloudron CLI, not the CloudronManifest.json. I asked a follow up question though to clarify though, so thank you.

@joseph

Thank you, I see that here: https://docs.cloudron.io/api.html#tag/Apps/operation/installApp.

I want to set this value automatically during App Installation. Is there a way to do that using either the CloudronManifest.json file or the Cloudron CLI?

I have resolved the issue with Invalid Handle. The problem was not having a *.[app.domain.com] wildcard domain mapped for the app. There's unfortunately no way to do this with the CloudronManifest.json file during app installation so this will have to be a manual step for installers.

I've tested migrating an account from a Bluesky PDS and that seems good. Tested making and restoring backups in Cloudron. That seems good.

The only remaining work to be done, that I am aware of, is to implement the update mechanism. I'm uncertain whether I should (or even can) do that or if that is something the Cloudron staff will do as they prepare it for the App Store.

https://github.com/sfeldkamp/cloudron-bluesky-pds

If anyone has any guidance on what more I should do, or a better way to "submit" this to the staff let me know.

I will likely move my live account sometime soon to be self hosted on my custom app install, as I expect that process to take awhile. If anyone would like to try it out themselves or review the code, please feel free!

I switched to my domain registrar as the provider, connected with an API key, regenerated the certs, and then synced DNS records. Everything seems to be working as I need it to.

Can anyone answer my second question... Is there a way to setup a domain alias during app installation so the user doesn't have to configure it manually?

Oh, my domain is setup with a DNS provider of "Wildcard" domain but the "Let's Encrypt Prod" certificate provider. I probably need to switch that around to a programmatic provider instead.

I've added a wildcard alias to the custom app install for the app that I am packaging. It works, entering an address like test2.[app.domain.com] resolves to the app. However, there is no valid security certificate for it.

I've restarted the app. Is there another step that I need to do? I didn't see anything in the docs.

Also, is it possible to setup a wildcard alias during app installation? I'd prefer not to ask the user to do this, if possible.

This was helpful and validated the direction I was headed with it! I am working from a fork of bluesky-social/pds at https://github.com/sfeldkamp/cloudron-bluesky-pds.

Current status is that it's running! I can add invite codes through the app's web terminal with goat CLI. I can register a user account on the PDS and post, reply, like, and follow from it. These all are pushed to the Bluesky firehose and can be seen in the Bluesky App by other accounts.

Still to be debugged / tested:

• Newly created account on the PDS shows "Invalid Handle" warning in Bluesky App.
• Account migration with goat CLI to the PDS from a bsky.social PDS.
• Account migration with goat CLI from the PDS back to bsky.social PDS.
• General soak test to feel comfortable that all parts of the PDS are working correctly.

I have some time off later this week, so I think I can make progress with these things.

@ekevu123

Please share! I'll take whatever help you can offer. Or post a submission if you have it done already and I can test it out.

According to the docs Cloudron will take over maintenance of the app image after it's published.

And Bluesky recently implemented incoming account migration so now a user can go back to Bluesky hosted PDS.
https://docs.bsky.app/blog/incoming-migration

I'm taking a stab at packaging the Bluesky PDS. If anyone else is currently in progress on this or knows of a reason why it won't be possible, now is a good time to speak up!

Perfect! Thanks for the quick answer.

I currently have a Cloudron server hosted on a Digital Ocean droplet. I'm working on packaging an app I'd like to install.

Is it a good idea to test the packaged app in a separate Cloudron? If yes, should that be another Cloudron server or could I install Cloudron in a Docker container on my desktop and then test the app installation and operation in that?

Success! Thank you!

It won't let me change it.

root@sftp:/etc/ssh# chmod 600 ssh_host_rsa_key
chmod: changing permissions of 'ssh_host_rsa_key': Read-only file system
root@sftp:/etc/ssh# sudo chmod 600 ssh_host_rsa_key
chmod: changing permissions of 'ssh_host_rsa_key': Read-only file system

Should I try updating this 600 and see if that allows the key to be used?

Ah yeah, it was the host system. It is 644 for the sftp service container and owned by cloudron.

root@my:~# docker exec -ti sftp /bin/bash
root@sftp:/app/code# ls -l /etc/ssh/ssh_host_rsa_key
-rw-r--r-- 1 cloudron cloudron 1679 Dec  4 01:01 /etc/ssh/ssh_host_rsa_key
root@sftp:/app/code# stat -c "%n %a" /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key 644

Description

SFTP service is flashing orange in Services panel.

Steps to reproduce

Upgraded to Ubuntu 22 followed by Ubuntu 24 following the guides on the site.

Logs

sftp service log after a service restart

Dec 03 19:34:27 [GET] /healthcheck
Dec 03 19:34:27 2025-12-04 01:34:27,895 sftp proftpd[42]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Dec 03 19:34:27 2025-12-04 01:34:27,899 sftp proftpd[42]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 76 of '/etc/proftpd/proftpd.conf'
Dec 03 19:34:27 2025-12-04 01:34:27,904 WARN exited: proftpd (exit status 1; not expected)
Dec 03 19:34:31 2025-12-04 01:34:31,258 INFO spawned: 'proftpd' with pid 46
Dec 03 19:34:31 2025-12-04 01:34:31,301 sftp proftpd[46]: LDAPServer: parsed URL 'ldap://172.18.0.1:3002/??sub' as 'ldap://172.18.0.1:3002/??sub'
Dec 03 19:34:31 2025-12-04 01:34:31,303 sftp proftpd[46]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 76 of '/etc/proftpd/proftpd.conf'
Dec 03 19:34:31 2025-12-04 01:34:31,308 WARN exited: proftpd (exit status 1; not expected)
Dec 03 19:34:32 [GET] /healthcheck
Dec 03 19:34:32 2025-12-04 01:34:32,020 INFO gave up: proftpd entered FATAL state, too many start retries too quickly

Troubleshooting Already Performed

Have restarted host (Digital Ocean droplet).
Have rebooted Cloudron.
Have confirmed /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root

Have discovered that /etc/proftpd directory does not exist at all (making the error message mentioning line 76 particularly strange).

System Details

Generate Diagnostics Data

https://paste.cloudron.io/iyasudamap

Cloudron Version

9.0.13

Ubuntu Version

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.3 LTS
Release:        24.04
Codename:       noble

Cloudron installation method

Manual with ./cloudron-setup

(I think. It was a very long time ago).

Output of cloudron-support --troubleshoot

Vendor: DigitalOcean Product: Droplet
Linux: 6.8.0-88-generic
Ubuntu: noble 24.04
Processor: DO-Regular
BIOS pc-i440fx-6.1  CPU @ 2.0GHz x 2
RAM: 4009880KB
Disk: /dev/vda1        14G
[OK]    node version is correct
[OK]    IPv6 is enabled in kernel. No public IPv6 address
[OK]    docker is running
[OK]    docker version is correct
[OK]    MySQL is running
[OK]    nginx is running
[OK]    dashboard cert is valid
[OK]    dashboard is reachable via loopback
[OK]    No pending database migrations
[OK]    Service 'mysql' is running and healthy
[OK]    Service 'postgresql' is running and healthy
[OK]    Service 'mongodb' is running and healthy
[OK]    Service 'mail' is running and healthy
[OK]    Service 'graphite' is running and healthy
[OK]    box v9.0.13 is running
[OK]    netplan is good
[OK]    DNS is resolving via systemd-resolved
[OK]    Dashboard is reachable via domain name
[OK]    Domain sethfeldkamp.com is valid and has not expired
[OK]    unbound is running```

For what it's worth, the terms of service have been updated. Not that it matters. As with everything on the internet, it's buyer beware and use at your own risk. For my part I'm comfortable with the underlying protocol and the role Bluesky (a public-benefit company) is playing in developing it and the reference implementations for it.

They have released a PDS (docker image) that will federate with their sandbox network. Federation with the production network will come after a period of time.

https://github.com/bluesky-social/pds

Federation still depends on three services hosted by Bluesky. Eventually it should be possible to consume these ATProto services from other providers, but for now Bluesky is the only one offering them.

SMTP-Mailer is configured automatically and working for me when I send the test email. However, a number of Contact Form plugins that were advertised as working with SMTP-Mailer weren't actually sending an email. Some failed silently, and some helpfully showed an error to the user.

I did finally find one. Completely free. I'm not connected to them in any way. Just leaving this here in case anyone else runs into the same problem.

https://wordpress.org/plugins/simple-basic-contact-form/

@sfeldkamp

Well, I tried the digital oceans ones and they didn't work either. Maybe I will have to create a new server and restore backups instead.