Skip to content
Back

Selfhost net::ERR_CERT_AUTHORITY_INVALID

  • 0
  • Self Hosted
nachol_
1 Jan, 2025, 19:23

I have a selfhosted appwrite instance

It worked perfectly when _APP_OPTIONS_FORCE_HTTPS=disabled But it returns that error when _APP_OPTIONS_FORCE_HTTPS=enabled

I have my domain with cloudflare and already disabled cloudflare proxy because it returns CORS error

TL;DR
Developers are having issues with self-hosting Appwrite and encountering net::ERR_CERT_AUTHORITY_INVALID errors when using the Force HTTPS option. The solution involves setting up a public-facing domain, ensuring proper environment variables are set, like _APP_ENV and _APP_SYSTEM_SECURITY_EMAIL_ADDRESS, and making sure Let's Encrypt auto-generates the TLS certificates. A workaround is using a separate subdomain or a custom certificate or proxy server. In some cases, disabling the Cloudflare proxy might resolve CORS errors.
WhMonkey
1 Jan, 2025, 19:42

Do you have an SSL cert?

WhMonkey
1 Jan, 2025, 19:43

Let's encrypt for instance

nachol_
1 Jan, 2025, 19:51

is it not auto generated?

WhMonkey
1 Jan, 2025, 19:52

Don't think so, no.

nachol_
1 Jan, 2025, 19:54

but it say so in docs

nachol_
1 Jan, 2025, 19:54

"Appwrite uses Let's Encrypt to auto-generate TLS certificates"

nachol_
1 Jan, 2025, 19:54

"Appwrite auto-generates a certificate for your main domain when you first visit"

WhMonkey
1 Jan, 2025, 19:55

If you set it up

WhMonkey
1 Jan, 2025, 19:55

"You need to use a public-facing domain with a known TLD pointing to your Appwrite instance.

Your _APP_ENV environment variable should be set for production mode. The default Appwrite setup comes with this predefined setting, so you should be OK unless you change it.

You need to ensure you have a valid email address set on _APP_SYSTEM_SECURITY_EMAIL_ADDRESS. The default setup comes with certs@appwrite.io as the default value. While this address will work, it's recommended to change it to your own email.

Currently, Appwrite is using the ACME HTTP challenge to issue an TLS certificate. This forces us to generate certificates for port 443 when the challenge itself is performed on port 80. At this point, other ports will not work. To overcome this limit, you can set Appwrite on a separate sub-domain or use your own certificate or proxy server in front of Appwrite.

"

WhMonkey
1 Jan, 2025, 19:55

You need to setup all of that first

nachol_
1 Jan, 2025, 19:56

I have that env vars setup it up

WhMonkey
1 Jan, 2025, 19:58

and you have all of your domains pointing to what they should?

nachol_
1 Jan, 2025, 19:58

yes, I think so, it's the first thing a did

WhMonkey
1 Jan, 2025, 19:59

Run docker compose logs appwrite-worker-certificates

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more