Skip to content
Start building
Back

SSL Cert doesn't get renewed (anymore)

  • 0
  • Self Hosted
View on Discord
bopr
1 Jun, 2023, 15:56

My SSL cert is not getting renewed anymore, and fails when I run sudo docker compose exec appwrite ssl domain="mydomain.com" I am running on a self hosted VPS Ubuntu 20.04. This command worked earlier for me without issues and I have updated to the latest version but no luck

appwrite-worker-certificates | [notice] Starting work on (Job{v1-certificates} | ID: ca1d5fe7fa5e46bcda44596fd5f7e7a4 | CertificatesV1 | [{"project":null,"domain":{"domain":"mydomain.com"},"skipRenewCheck":true}]) appwrite-worker-certificates | Cannot renew domain (mydomain.com) on attempt no. 8 certificate: Failed to issue a certificate with message: contents of letsencrypt.log: 2023-06-01 04:02:33,940:DEBUG:acme.client:Received response: Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "mydomain.com" }, "status": "invalid", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "1.2.3.4: Fetching http://mydomain.com/.well-known/acme-challenge/ Connection refused", "status": 400 },

TypeScript
  "validationRecord": [
    {
      "url": "http://mydomain.com/.well-known/acme-challenge/xx",
      "hostname": "mydomain.com",
      "port": "80",
      "addressesResolved": [
        "1.2.3.4"
      ],
      "addressUsed": "1.2.3.4"
    }
  ],
}

] } INFO:certbot._internal.auth_handler:Challenge failed for domain mydomain.com INFO:certbot._internal.auth_handler:http-01 challenge for DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: mydomain.com Type: connection Detail: 1.2.3.4: Fetching http://mydomain.com/.well-known/acme-challenge/gcdQfEqCjL2XpI:

TL;DR
The user is experiencing an issue with renewing their SSL certificate using the command `sudo docker compose exec appwrite ssl domain="mydomain.com"`. They are running on a self-hosted VPS running Ubuntu 20.04. This command worked previously but is now failing. The error message indicates that there is a connection issue with fetching the token for the certificate. The user has already updated to the latest version of Docker-compose but the issue persists. No solution is provided in the support thread.
Torsten Dittmann
1 Jun, 2023, 16:05

I can summarize really quick how the flow is:

  • You issue a SSL certificate via the command you mentioned or the API
  • The certificates worker does a request for your domain to the CA with a HTTP Challenge
    • CA => Certificate Authority which in this case is Let's Encrypt
  • That request will contain a random token and a fingerprint we have generated
  • Then after some seconds, the CA will try to ask for a file with that token (/.well-known/acme-challenge/TOKEN) over http and will check the fingerprint
  • Our certificate is valid if everything went well

you can read more about it here => https://letsencrypt.org/docs/challenge-types/#http-01-challenge

Torsten Dittmann
1 Jun, 2023, 16:06

iirc the certificate is generated using https://certbot.eff.org/

bopr
1 Jun, 2023, 16:07

So if the CA gets a 400 connection refused error while trying the token and fails, what kind of steps can I take to resolve this?

Torsten Dittmann
1 Jun, 2023, 16:08

by any chance, are you on 1.3.5? 🙂

Drake
1 Jun, 2023, 16:09

btw, make sure to look at https://appwrite.io/docs/certificates

bopr
1 Jun, 2023, 16:10

I was on 1.2.1 and tried to upgrade to 1.3.5 in my docker-compose.yml but got the same error... getting really frustrated and I don't really want to nuke the VPS just because of a cert issue... but none of the images from the buckets will load now on my webapp and it's sad

Torsten Dittmann
1 Jun, 2023, 16:11

if you ahve upgraded to 1.3.5, I probably found the issue

this will be fixed with https://github.com/utopia-php/framework/pull/97 and will be fixed today with 1.3.6 🙂

But you said it currently fails on 1.2.1 too?

Torsten Dittmann
1 Jun, 2023, 16:11

@Steven btw, can you take a look at this PR?

We need to add the trailing wildcard here too later 🙂 https://github.com/appwrite/appwrite/blob/953485299a2a4040406cfec290a68f69187ec5e8/app/controllers/general.php#L587

bopr
1 Jun, 2023, 16:12

The first time I tried on 1.2.1 (out of the box) it failed, but when I ran it manually with sudo docker compose exec appwrite ssl domain="mydomain.com" it worked, i just assumed I would need to run it manually every time but this time didn't work 😦

Torsten Dittmann
1 Jun, 2023, 16:13

yeah, you just got me to a lead of an issue that got created with a fix released 2 days ago. 1.3.4 should actually work 🙂

Torsten Dittmann
1 Jun, 2023, 16:13

or you wait for 1.3.6 later today

bopr
1 Jun, 2023, 16:14

I can wait 🙂 thank you for looking into it

Torsten Dittmann
1 Jun, 2023, 16:31

worst case might be a release very early tomorrow, little bit time constraint right now with QA etc 🙂

bopr
1 Jun, 2023, 16:33

It's no rush I really appreciate the help

bopr
3 Jun, 2023, 17:52
  • updated my docker-compose versions to 1.3.6
  • docker-compose up -d
  • sudo docker compose exec appwrite ssl domain="mydomain.com" Result: [notice] Starting work on (Job{v1-certificates} | ID: 6e3 | CertificatesV1 | [{"project":null,"domain":{"domain":"mydomain.com"},"skipRenewCheck":true}]) Refresh my browser page, the new SSL cert is proudly displayed

@Torsten Dittmann 10/10 your fix worked on the first try Thank you @Steven for helping me with the route issue, I love you guys!

Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more