A question about function domain certificates
Are certificates generated for the autogenerated domains for functions? In the appwrite console, the cert status is generated. However, monitoring the appwrite-worker-certificates there were no logs of the certs being generated. The Functions docs about certificates were also largely refering to the main domain.
My setup: I have a wildcard DNS record on cloudflare for functions (without certs 2nd level subdomain) which is not proxied through cloudflare because of SSL mismatch. I thought since SSL certs are generated by appwrite for the functions it would be 'okay' to access them directly for but the generated function domains are not.
No Appwrite doesn't actually generate the auto function domain. Cloudflare should be able to handle it all. You may need to enable flexible SSL certificates or something like that in cloudflare
With flexible SSL certs the console fails to load because of 'too many redirects' which seems to be as a result of appwrite's autogenerated cert for _APP_DOMAIN.
NVM it should be full, but not strict
That's what it is currently
Wait I'm confused about your setup...do you have certs on cloudflare?
Cloudflare's free tier provides free SSL certs for the root domain and any first level subdomains. That is;
mydomain.com ----> OK
appwrite.mydomain.com ------> OK
sample.appwrite.mydomain.com -----> N/A on free tier
and my functions DNS entry is *.appwrite.mydomain.com which makes all generated function domains e.g. func1.appwrite.mydomain.com not available for SSL certs when proxied through cloudflare and also results in ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when accessing functions via the url. So my thinking was if appwrite's traefik service generates SSL certs for the functions then it'll still be 'secure' even when it's not proxied through cloudflare but the function domains are not "secured".
The reason I thought it'd work is because the SSL generated by appwrite's traefik service still works for the _APP_DOMAIN i.e. appwrite.mydomain.com even when the DNS record is not proxied through cloudflare. I thought it'd be the same for functions
I see so you're not using cloudflare's certificate
Appwrite doesn't generate certificates for auto generated function domains
You can either manually generate it or configure traefik to generate the certificate.
Maybe this will help: https://doc.traefik.io/traefik/https/acme/
I had hoped that wasn't the case I really don't want to modify the default compose file.
I had already planned to have another separate Traefik service proxying to appwrite and my other services maybe it's time to revisit it
Thanks Steve
I don't suggest modifying the existing compose file. Instead, extend services using a docker-compose.yml file
I've used nginx proxy manager (NPM) in front of Appwrite and NPM can be configured to generate those let's encrypt certificates
I actually initially tried nginx (not NPM) but switched to traefik because it seemed easier and also to learn more about it since that's what appwrite uses in case I need to heavily customize it. Thus, I haven't really given NPM much thought even though I now realize it's also easy (maybe more so than traefik)
Thanks, I'll try that. If there's no success I go with NPM
[SOLVED] A question about function domain certificates
This is what I do now, but I’m thinking about moving away from Traefik
I'm still trying to get it to work. Do you mind sharing how you got it to work?
A question about function domain certificates
Will do if I remember next time I’m at the computer. Will probably be tomorrow sometime
All right, thanks
